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Energy Efficient, 
Powerful Performance 


With dual Intel® Xeon® 5500 series Quad-Core or Dual-Core processors and up to 144GB of 
DDR3 memory, the iX-Athena is designed for small businesses seeking a high performance 
computing solution. 


iX-Athena 


Notable features 
include: 


* Dual 64-Bit Socket 1366 Quad-Core or Dual-Core, Intel® 
Xeon® Processor 5500 Series 

° Eight 3.5” Hot-swap SAS/SATA HDDs in a 4U/Tower 
Configuration (Optional 4U Rackmount Rail Kit Available) 

* Dual Intel® 5520 Chipsets with Quick-Path Interconnect 
(QPI) up to 6.4 GT/s 

¢ Up to 144GB DDR3 1333/1066/800MHz ECC Registered 
DIMM/24GB Unbuffered DIMM (18 DIMM Slots) 

* Two (x16) PCI-E 2.0 slots, Four (x8) PCI-E 2.0 slots 
(1 in x 16 slot), and One (x4) PCI-E slot (in x8 slot) 

¢ Intel® 82576 Dual-Port Gigabit Ethernet Controller 

¢ Matrox G200eW Graphics Support 

¢ Integrated IPMI 2.0 with Dedicated LAN 

¢ Realtek ALC888 7.1 HD audio 

* Two 5,000 RPM Hot-swap Cooling Fans 

¢ Two 5,000 RPM Hot-swap Rear Exhaust Fans 

¢ 1400W Redundant High Efficiency Power Supply 
(Gold Level 93%+ power efficiency) 
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the 1iX-Athena Workstation 


The iX-Athena showcases amazing computing performance and energy efficiency, while 
keeping noise levels to a minimum. 


The iX-Athena delivers the most powerful performance available on the market today. Dual Intel® Xeon® 5500 series 
Quad-Core or Dual-Core processors boost performance for specific workloads by increasing processor frequency. Next- 
generation Intel® Virtualization Technology enhances performance in virtualized environments by up to 2.1x with new 
hardware-assist capabilities. Up to 144GB of DDR3 memory with eighteen DIMM sockets supports higher performance for 
data-intensive applications and makes it easy for the ix-Athena to handle any workload. 


In terms of energy efficiency, the iX-Athena also leads the pack. The automated low-power states of the Intel® Xeon® 5500 
series processors intelligently save power during low-use periods and increase performance when the system requires it. The 
iX-Athena also features an FCC Class B certified power supply with gold level (93%+) energy efficiency to provide 1400W of 
power and minimize impact on the environment. 


The Super-Quiet operation of the iX-Athena allows users to spend less time distracted by a loud machine, and more time 
focusing on its powerful computing capabilities. At normal operation levels, the ix-Athena workstation’s 5,000 RPM cooling 
and exhaust fans perform at a hushed 38 decibels to make this an ideal machine for any office or lab environment. 


With eight 3.5” hot-swappable SAS/SATA hard drive bays, the iX-Athena also offers ample storage for all conceivable 
technical computing and graphics applications. The iX-Athena even includes four dedicated power connectors for high-end 
graphics cards, all contained in a stylishly sleek, high-end quality, dark gray chassis. 


To order today call: 
1-800-820-BSDi 


For more information about the iX-Athena visit: 
http://www.iXsystems.com/Athena 


Powerful. 
Intelligent. 





Intel, the Intel logo, and Xeon Inside are trademarks or registered 
trademarks of Intel Corporation in the U.S. and other countries. 








Dear Readers! 


BSD is already becoming international magazine. People 
all over the world have an access to our magazine and 
download it. We are happy that our work is so appreciated 
and BSD magazine popularity is growingl. 


First of all I wanted to thank you for you letters of 
support, they mean really a lot to us and help constantly 
to improve! All our authors worked hard to make their 
articles interesting and useful. I really hope you will like 
this issue as much as the previous. 


This month topic is “BSD as a desktop”. Why this 
topic? 


We thought that some of you still might have doubts 
on choosing OS, so this issue surely will help you to 
learn more about BSD as a desktop and help to make a 
decision. 


But those of you who already use BSD should not 


close the magazine after reading my previous statement, 
because you could loose a lot. =) 


Please feel free to contact us, we are open to critics, 
not only to new ideas and suggestions. 
Your feedback is very important to us. 


Olga Kartseva 
Editor in Chief 
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get started 


© 6G Buil Your Own FreeBSD 

Update Server 

Jason Helfman 
Experienced users or administrators responsible for several 
machines or environments, know the difficult demands and 
challenges of maintaining such an infrastructure. The article 
Outlines the steps involved in creating an internal FreeBSD 
Update Server. 


“14 Using OpenBSD and PF as a Virtual 
Firewall for Windows 
Pedro Lereno 
The Windows firewall, by default, has many open ports 
to the local network, like the file and print sharing service 
ports, which are the source of many security holes. How 
to protect a Windows host with a basic configuration of 
an OpenBSD virtual machine with PF as a NAT router and 
firewall? 





how-to’s 


= OKeeping FreeBSD Applications 
Up-To-Date 
Richard Bejtlich, Principle Technologist and Director of 
Incident Response, General Electric 
An important system administration task, and a principle of 
running a defensible network, is keeping operating systems 
and applications up-to-date. In this article you will find 
multiple ways how to complete this task 


Contents @ 














<1 <4} Spam Control 
with a stock OpenBSD 
install 
Girish Venkatachalam 
Ever since e-mails became ubiquitous 
unwanted e-mails or soam also known 
as UCE (Unsolicited Commercial E-mail) 
or UBE (Unsolicited Bulk E-mail) also 
became popular Any chance to control 
this? OpenBSD has an excellent 
method to fight spam and _ this 
article is about it. 


<5 Choosing and 
Installing a Window 
Manager with FreeBSD 
Rob Somerville 

Step by Step installing with comments and advice. One of 

the many attractive features of BSD is that the end-user is not 

tied to a particular desktop or windowing environment. 


interview 
£5 <1 BSD Live Desktops 


Jesse Smith 
Last week Zafer Aydogan, founder of Jibbed, and Stefan 
Rinkes, founder of GNOBSD, agreed to talk with Jesse Smith 
about their projects (from which BSD community will surely 
benefit), themselves and BSD. 


let’s talk 


5G BSD goes to the Office: 

Can BSD compete in a real life consulting 

workplace? 

Mike Bybee, Consultant, Fujitsu America 
A reminder on our last issue topic- an article about an 
experiment to determine a viability of BSD desktop in a 
real world high pressure consulting engagement. There 
are many articles that expound on the succes of Linux as 
desktop, and quite a few accounts of using a Linux desktop 
in this case or that case. But this one is written not from a 
perspective of a journalist or home user, but from a system 
administration and consulting perspective. 


www.bsdmag.org 
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Build Your Own 


FreeBSD Update Server 





Jason Helfman 


Experienced users or administrators responsible for several machines, or 
environments, know the difficult demands and challenges of maintaining such an 


infrastructure. 


unning a FreeBSD Update Server makes it easier to 

deploy security and software patches to selected test 

machines before rolling them out to production. It also 

means a number of systems can be updated from 
local network rather than a much slower Internet connection. 
This article outlines the steps involved in creating an internal 
FreeBSD Update Server. 


Prerequisites 
To build an Internal FreeBSD Update Server you will need the 
following. 


A running FreeBSD system. 

A user account with at least 4Gigs of available space. This 
will allow for the creation of at least updates for 71 and 72. 
Beyond this space requirements will need to be considered. 
An ssh(1) account on a remote machine to upload 
distributed updates. See the man page here: _hitp:// 
www.freebsd.org/cgi/man.cgi?query=ssh&sektion=1. 

An Apache, htto://www.freebsd.org/doc/en_US.|ISO8859-1/ 
books/handbook/network-apache.html, web server, with over 
half of the the space required for the build. For instance, 
my builds total 4G, and the webserver space needed to 
distribute updates is 2.6G. 

Basic knowledge of shell scripting with Bourne shell, sn (1). 
See the man page here: hitop://www.freebsd.org/cgi/man.cgi 
?query=sh&sektion=1. 


Configuration: Installation & Setup 
Download _ freebsd-update-server software at __siNittp:// 
www.freebsd.org/cgi/cvsweb.cgi/projects/freebsd-update- 
server’. A tarball may be downloaded, or use csup (i) and the 
projects-all collection. See the man page here for csup: http:// 
www.freebsd.org/cgi/man.cgi?query=csup&sektion=1. 

Update scripts/build.conf appropriately. It is sourced 
during build operations. 

Here is the default build.conf.default, which should be 
modified (Listing 1). 

Parameters for consideration would be: 


FIP — This is where the subroutine fetchiso() declared 
in scripts/build.subr will contact the configured source for 
downloading the FreeBSD ISO. This can be configured to 
be an http address, as well. For our purposes, ISO’s are 
on the same server as our internal htto server that will be 
serving updates. The software has been configured to look 
in that location. For this setup, we have to alter the routine to 
fetch the ISO. By copying the source build.subr tO scripts/ 
RELEASE/ARCHITECTURE/build.subr this file will be sourced 
instead of the released source for build. subr. 
BUILDHOSTNAME - Host where software will build. 
Coincidentally, this information will be displayed on updated 
systems when issuing: uname -v 

SSHKEY — Key for uploading to update server where clients 
will fetch patches or upgrades. A key pair is created by 


This article describes building an internal FreeBSD Update Server. The freebsd-update-server software, located at http:/www.freebsd.org/cgi/ 
cvsweb.cgi/projects/freebsd-update-server/, is written by Colin Percival cperciva@FreeBSD.org; Security Officer of FreeBSD. If you thought 


it was fun to update your system against an Official Update Server, just wait until you have an updated system from your very own FreeBSD 
Update Server. 
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executing ssh-keygen -t dsa. Altering 
this parameter is not necessary, as 
standard password authentication 
through ssh will suffice if configured 
properly. ssh-keygen(1) has more 
detailed information in creating 
a key pair The man page will have 
more information, and it can be 
found here: _htto://www.freebsd.org/ 
cgi/man.cgi?query=ssh-keygen 
&sektion=1. 

MASTERACCT - Account that files are 
uploaded to on remote system. 
MASTERDIR —- Directory where files 
are uploaded to on remote system. 


Now that build directives are set, the 
installation files are configured for a build. 
For this example, we will use RELEASE-72 
under amd64 architecture. Configuration 
files for i886 architecture are available 
with downloaded source. 

Create the build environment directory 
under scripts/RELEASE-7.2/amd64, 


% mkdir -p /usr/local/freebsd-update- 
server/scripts/RELEASE-7.2/amd64 


This is the build.con¢ file that should be 
placed in the directory that was created in 
the previous step (see Listing 2). 


Note 

To generate the End of Life number for 
build.conf, refer to the Estimated EOL 
posted on the FreeBSD Security Website 
at http://www.freebsd.org/security/se- 
curity.html. 

Based on this date, you can issue date 
—j -£ 'SY%m%d-SHSM%S' '20090401-000000' 
+%s, and substitute actual date parameters 
for those stated by FreeBSD. 

The SHA256 hash key for the desired 
release, is published within the respective 
release announcement found at hitp:// 
www.freebsd.org/releases/. 


Building Update Code 


The first step is to run scripts/make.sh. 
This will build some _ binaries, create 
directories, and generate an RSA signing 
key used for approving builds. In this step, 
a passphrase will have to be supplied for 
the final creation of the signing key (see 
Listing 3). 


Build Your Own FreeBSD Update Server 





Listing 1. Installation and Setup 1st step 


# SFreeBSD: projects/freebsd-update-server/scripts/build.conf,v 1.1 2006/08/ 


31 07:48:40 cperciva Exp §$ 


# Main configuration file for FreeBSD Update builds. The 
# release-specific configuration data is lower down in 

# the scripts tree. 

# Location from which to fetch releases 

export FTP=ftp://ftp2.freebsd.org/pub/FreeBSD/releases 
# Host platform 

export HOSTPLATFORM='uname -m!' 

# Host name to use inside jails 

export BUILDHOSTNAME=S { HOSTPLATFORM}-builder.daemonology.net 
# Location of SSH key 

export SSHKEY=/root/.ssh/id dsa 

# SSH account into which files are uploaded 
MASTERACCT=builder@wadham.daemonology.net 

# Directory into which files are uploaded 


MASTERDIR=update-master.freebsd.org 


Listing 2. Installation and Setup 2nd step 


# SHA256 hash of RELEASE discl.iso image. 

export RELH=lealfofe52d7ch5f5eab7ef9f8edbed50cb664b08ed7 61850F95Ff48e86cc7lef5 

# Components of the world, source, and kernels 

export WORLDPARTS="base catpages dict doc games info manpages proflibs 11b32" 

export SOURCEPARTS="base bin contrib crypto etc games gnu include krb5 \ 
lib libexec release rescue sbin secure share sys tools \ 
bani Ssi in caddis 

export KERNELPARTS="generic" 

# EOL date 

export EOL=1275289200 


Listing 3. Building Update Code. Final creation of a signing key 


# sudo sh scripts/make.sh 


CG =O2 = ENG=SEricr=-alilasinge-pipe findstamps.c =O findstamps 
findstamps.c: In function, “Usage’: 


findSicamps C2452 warning: ancompatible amplicit declaration of bua le-in 


rwiacicsLom Y Ss<aiic » 


CG =O2 -=E£noO-Stricr=-allasingc-pupe UnSstano.c oO UnSstamp 
imstalkl findst amps. —.)../ ban 

lis tt cll lena Sit emio: a.77 Baan 
tm =f findstamps unstamp 


Generating RSA private key, 4096 bit long modulus 


SS 465557) (Oxho00L) 

Public key fingerprint: 
27lef53e48dc869eea6c3136091ccb6ab8589£967559824779e855d58a2294de9e 
ENneCrypting Signing key for rook 

enter aes-256-cbc encryption password: 


Verifying - enter aes-256-cbc encryption password: 
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get started 


Note 
Take down the generated KeyPrint this 
value is entered intO /etc/freebsd- 


update.conf for binary updates. At this 
point, we are ready to stage a build. 


# cd /usr/local/freebsd-update-server 


# sh scripts/init.sh amd64 RELEASE-7.2 


What follows is sample of an initial build 
run (see Listing 4). 


Listing 4. Building Update Code. Initial build run 


# sh scripts/init.sh amd64 7.2-RELEASE 


Note 

Then the build of the world is performed 
again, with world patches. A more detailed 
explanation may be found in scripts/ 
build .subr. 


Note 

And then the build completes.. Approve the 
build if everything looks ok. More information 
on determining if things are ok can be found 
in the distributed source file named USAGE. 


Execute scripts/approve.sh, as directed. This 
will sign the release, and move components 
into a staging area suitable for uploading. It 
is important to make sure that your key is 
mounted during this process. A simple df will 
show if it is mounted. If not mounted, mount 
the key with the passphrase supplied when 
creating it earlier (see Listing 7). 


# cd /usr/local/freebsd-update-server 


# sh scripts/mountkey.sh 


Mon 
Mon 
Mon 
Mon 
Mon 
ioe 
Ake 
ioe 
tue 
Mon 
Mon 
Mon 
Mon 


Mon 


Aug 
Aug 
Aug 
Aug 
Aug 
Aug 
Aug 
Aug 
Aug 
Aug 
Aug 
Aug 
Aug 
Aug 


24 
24 
24 
24 
24 
Z5 
Z6 
25 
Ze 
24 
24 
24 
24 
24 


Ge 
Ge 
LG 
Gs 


23 


a2 
22 
34 


ee 


Sa 


Bi 
24 


129 
n36 
2:44 
P16 
246: 
46% 
247 


ike 
32 


soles) 
cole, 
“50% 


44 


PDT 


PDT. 


PDT 





EDT 
Vie 
DEES 
EEE 
Ee 
UEC 
PDT 
PDT 
PD. 
PDT 





PDT 


/usr/local/freebsd-update-server/work/7.2-RELE100% of 
235 
244 
205 
See 
136% 
fol 
132 
:44 


2009 
Z009 
2009 
Z009 
2009 
Z009 
2009 
Z009 
2009 
Z009 
2009 
Z00 9 
2009 
2009 


Mon Aug 24 16:04:36 PDT 2009 Starting fetch for FreeBSD/amd64 7.2-RELEASE 


588 MB 359 kBps O0m00s 
Verifying discl hash for FreeBSD/amd64 7.2-RELEASE 
Extracting components for FreeBSD/amd64 7.2-RELEASE 
Constructing worldt+sre image for FreeBSD/amd64 7.2-RELEASE 
Extracting world+sre for FreeBSD/amd64 7.2-RELEASE 
Building world for FreeBSD/amd64 7.2-RELEASE 

Distributing world for FreeBSD/amd64 7.2-RELEASE 
Building and distributing kernels for FreeBSD/amd64 7.2-RELEASE 
Constructing world components for FreeBSD/amd64 7.2-RELEASE 
Distributing source for FreeBSD/amd64 7.2-RELEASE 

Moving components into staging area for FreeBSD/amd64 7.2-RELEASE 
Identifying extra documentation for FreeBSD/amd64 7.2-RELEASE 
Extracting extra docs for FreeBSD/amd64 7.2-RELEASE 

Indexing release for FreeBSD/amd64 7.2-RELEASE 


Indexing worldO for FreeBSD/amd64 7.2-RELEASE 


Files built but not released: 


Files released but not built: 
Files 
Files 
kernel |generic|/GENERIC/hptrr.ko 
kernel | generic|/GENERIC/kernel 
src|sys|/sys/conf/newvers.sh 
world|base|/boot/loader 
world|base|/boot/pxeboot 


world|base|\/ere/mail/ freebsda.cr 


world|base|/etc/mail/sendmail.cf 
world|base|/etc/mail/submit.cf 
worid|base|/lib/iliberypto. so.5 
world|base|/usr/bin/ntpg 
world|base|/usr/lib/libalias.a 


world|base|/usr/lib/libalias dummy.a 


world|base|/Usr/lib/libalias ftp.a 





world|base|/ete/mail/ freebsd. submit .ct 


world|base|/usr/lib/libalias cuseeme.a 


which differ by more than contents: 


Wiaskela Glkicireie Iasinwecia release aiacl lowsliiel= 
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After completing the approval process, 
you may proceed with the upload. 


# cd /usr/local/freebsd-update-server 


# sh scripts/upload.sh amd64 RELEASE-7.2 


The uploaded files will need to be in 
the DocumentRoot of the webserver in 
order for updates to be distributed. For 
further explanation, please refer to the 
Configuration section of the Apache 
documentation. 


Note 
Updates forthe current release of the FreeBSD 
system you are updating, and what you want 





Listing 5. Building Update Code 


24 
29 
Zo 
Zo 
ao 
Zo 
Ze 
24 


i oes Oey 
00:54:34 
01:49:42 
Oi 504 50 
OZ 2022 56 
O2503503 
Loe OAs 1 
19:04:46 
RC ERO) as all 
19-08 204 
oO 2g 
POA 
One 20 
2 ors oe) 
eles ao 


Z0'09 
2010 
Z.00 
2010 
2010 
2010 
ZOO 
Z010 9 
Z010/9 
Z0109 
ZOOS 
Z009 
2009 
Z 0109 
Z003 


Aug PDT 


Sep De. 


Sep UT 


Sep We 


Sep UTS 


Sep ie 


Sep ED 


Aug PDT 


Aug 24 PDT 


Aug 24 PDT 


Aug 24 PDT 


Aug 24 PDT 


Aug 24 PDT 


Aug 24 PDT 








Bug 24 12 PDT 
Files found which include build stamps 
kernel |generic|/GENERIC/hptrr.ko 
kernel | generic|/GENERIC/kernel 
world|base|/boot/loader 
world|base|/boot/pxeboot 
world|base|/etc/mail/freebsd.cf 
world|base|/etc/mail/freebsd.submit.cf 
world|base|/etc/mail/sendmail.cf 
world|base|/etc/mail/submit.cf 
world|base)|/ lilb/ liberypto. so. 5 
world|base|/usr/bin/ntpgq 
world|base|/usr/include/osreldate.h 
world|base|/usr/lib/libalias.a 
world|base|/usr/lib/libalias cuseeme.a 


world|base|/usr/lib/libalias dummy.a 


world |base|/usr/liby/libalias ftp.e 


Build Your Own FreeBSD Update Server 


to upgrade to need to be built in order for 
FreeBSD Update Server to work properly. This 
is necessary for merging of files between 
releases. For example, if you are updating 
a system from FreeBSD 71 to FreeBSD 72, 
you will need to have update code built for 
FreeBSD 71-RELEASE and FreeBSD /72- 
RELEASE. Update clients KeyPrint and Server 
Name_ in /etc/freebsd-update.conf, and 
perform updates as instructed in the FreeBSD 
Update instructions in the handbook. 
The instructions can be found at hittp:// 
www.freebsd.org/doc/en/books/handbook/ 
updating-freebsd-update.html. 

For reference, here is the entire run of 


init.sh. 


Extracting world+srce for FreeBSD/amd64 7.2-RELEASE 
Building world for FreeBSD/amd64 7.2-RELEASE 
Distributing world for FreeBSD/amd64 7.2-RELEASE 
Building and distributing kernels for FreeBSD/amd64 7.2-RELEASE 
Constructing world components for FreeBSD/amd64 7.2-RELEASE 
Distributing source for FreeBSD/amd64 7.2-RELEASE 
Moving components into staging area for FreeBSD/amd64 7.2-RELEASE 
Extracting extra docs for FreeBSD/amd64 7.2-RELEASE 

Indexing worldl for FreeBSD/amd64 7.2-RELEASE 
Locating build stamps for FreeBSD/amd64 7.2-RELEASE 





Cleaning staging area for FreeBSD/amd64 7.2-RELEASE 

Preparing to copy files into staging area for FreeBSD/amd64 7.2-RELEASE 
Copying data files into staging area for FreeBSD/amd64 7.2-RELEASE 
Copying metadata files into staging area for FreeBSD/amd64 7.2-RELEASE 


Constructing metadata index and tag for FreeBSD/amd64 7.2-RELEASE 





Building a Patch 

In the event a security advisory is posted to 
theFreeBSD SecurityAdvisories page, http:// 
www.freebsd.org/security/advisories.html, 
a patch update can be built. For this 
example, | will be using 71-RELEASE. 
A couple of assumptions are made for 
a different release build: 


Setup the correct directory structure 
for the initial build. 
Perform an initial build for 71-RELEASE. 


Create patch directory under /usr/local/ 
freebsd-update-server/patches/ for the 
respective release. 
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6 mkdir -p /usr/local/freebsd-update- 
server/patches/RELEASE-7.1/ 


As an example, take the patch for named(8) 
found at __ http://www-freebsd.org/cgi/ 
man.cgi?query=named&sektion=8. Read 
the advisory, and grab the necessary file 


from FreeBSD Security Advisories at http:// 
www.freebsd.org/security/advisories.html. 
lf you have trouble interpretting the 
advisory, please read this page for more 
information: —http://www.freebsd.org/doc/ 
en_US.ISGO8859-1/books/handbook/ 
security-advisories.html. 


From the security brief found here 
http://security.freebsd.org/advisories/ 
FreeBSD-A-09:12.bind.asc, we can see it is 
called SA-09:12.bind. 

After downloading the file, it is required 
to rename the file to an appropriate patch 
level. It is suggested to keep this inline with 


official FreeBSD patch levels, however, this 
is just a Suggestion. 

For this build, let us follow the brief and 
call this p 7 Rename the file: 


Listing 6. Building Update Code 


Values of build stamps, 
aleeZ 
a7 iis 2 


excluding library archive headers: 
(Aug 25-2009 00; 40336) 

(Aug 25-2009 1007338 322) % 
tue Aug 25° 00°36 .29 UrC 2009 
fue Aug 25 O07 S28 529 UlC 2009 


cd /usr/local/freebsd-update-server/ 
@(#) FreeBSD 7.2-RELEASE #0: patches/RELEASE-7.1/; mv bind.patch 7- 
FreeBSD 7.2-RELEASE #0: SA-09712.bind 
root@server.myhost.com: /usr/obj/usr/src/sys/GENERIC 
Note 

When running a patch level build, it is 


assumed that previous patches are in 


7 .2-RELEASE 
Mon Aug, 24° 234551252 ULC 2009 
Mon’ Aug 24-23 75025. ULC. 2009 


##### built by root@server.myhost.com on Tue Aug 25 00:16:15 UTC 2009 place. 

##### built by root@server.myhost.com on Tue Aug 25 00:16:15 UTC 2009 When a patch build is run, it will 
##### built by root@server.myhost.com on Tue Aug 25 00:16:15 UTC 2009 run all patches contained in the patch 
##### built by root@server.myhost.com on Tue Aug 25 00:16:15 UTC 2009 directory. Beyond this, you will have to take 
Mon Aug 24 23:46:47 UTC 2009 appropriate measures to verify authenticity 
ntpg 4.2.4p5-a Mon Aug 24 23:55:53 UTC 2009 (1) of the patch. 

* Copyright (c) 1992-2009 The FreeBSD Project. You can also add your own patches 
Mon Aug 24 23:46:47 UTC 2009 to any build. Use the number zero, or any 
Mon Aug 24 23:55:40 UTC 2009 other number. 

Aug 25 2009 At this point, a diff is ready to be 
ntpd 4.2.4p5-a Mon Aug 24 23:55:52 UTC 2009 (1) built. The software checks first to see if 
nepdate 4.2 .405-a Mom Aug 24 23:55:53 UIC 2009 (1) Q scripts/init.sh has been run on the 
ntpde 4.2.4p5-a Mon Aug 24 23:55:53 UTC 2009 (1) respective release prior to running the 
Tue Aug 25 00:21:21 UTC 2009 diff build. 

Tie Aug 25 00-21-2915 ure 2005 

fue Aug 25 00221421 ULE 2009 # cd /usr/local/freebsd-update-server 
Mon Aug 24 23:46:47 UTC 2009 # sh scripts/diff.sh amd64 RELEASE- 
FreeBSD/amd64 7.2-RELEASE initialization build complete. Please dak 7 


review the list of build stamps printed above to confirm that 
What follows is the results of a diff build 
run (see Listing 8). 


they look sensible, then run 
# sh -e approve.sh amd64 7.2-RELEASE 
to sign the release. 
Note 
Updates are printed, and approval is 
requested. 
Follow the same _ processas noted 
before approving a build ( Listing 10). 
After approving the build, upload the 
software. 


Listing 7. Mounting the key with the passphrase supplied 


# sh -e scripts/approve.sh amd64 7.2-RELEASE 
Wed Aug 26 12:50:06 PDT 2009 Signing build for FreeBSD/amd64 7.2-RELEASE 





Wed Aug 26 12<50:06 PDT 2009 Copying tiles to patch source directories for 
FreeBSD/amd64 7.2-RELEASE 

Wed Aug 26 12:50:06 PDT 2009 Copying files to upload staging area for 
FreeBSD/amd64 7.2-RELEASE # cd /usr/local/freebsd-update-server 
Wed Aug 26 12:50:07 PDT 2009 Updating databases for FreeBSD/amd64 7.2- # sh scripts/upload.sh amd64 RELEASE- 
RELEASE Ted 

Wed Aug 26 12:50:07 PDT 2009 Cleaning staging area for FreeBSD/amd64 7.2- 
RELEASE For reference, here is the entire run of 


ditt 6h 
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Listing 8. Results of a diff buildrun 


# sh -e scripts/diff.sh amd64 7.1-RELEASE 7 

Wed Aug 2o 10:09:59 PDT 2009 Extracting worldtsrco for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug Zo 1/210225 UlC 2009 Bualkding world for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 1320S: 1h Ure 2009 Distrabucing world “For 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 13706116 UIC 2009 Building and aistriburing 
kernels for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 sel 7 150 Ure 2009 Constructing world 
components for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 16t18:02 UrIC 2009 Distrubuting Source for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 2o Ll:19223 Por 20090 Moving components into 
staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 1i219:3/ PDE 2009 Extracting extra docs for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 11:19:42 PDT 2009 Indexing world0 for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug Zo Lit23-202 PD 2009 Extracting worldtsrce for 
FreeBSD/amd64 7.1-RELEASE-p7 

Bau Sep 30 1e:23329 UIC 2010 Bua loinc. worla fox 
FreeBSD/amd64 7.1-RELEASE-p7 

Bau sep 30 19218215 Ule 2010 Distrvbucing world For 
FreeBSD/amd64 7.1-RELEASE-p7 

Baesep 20 19.192 le Ure 2010 Bua ldune amd ais trupue ing 
kernels for FreeBSD/amd64 7.1-RELEASE-p7 

Bau Sep. 30 19230752 UIC 2ol0-Consirucking world 
components for FreeBSD/amd64 7.1-RELEASE-p7 

Dhue Sep. 20 19231203 Ure 2010 Distributing source £or 
FreeBSD/amd64 7.1-RELEASE-p7 

Thu sep 30 12232:25 PDR 2010 Moving components into 
staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed “Aug 26 22:52:39 PDP 2009 Extracting extra docs for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:32:43 PDI 2009 Indexing worldl for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed. Aug 206 12:35:54 PDO 2009 Locating build stamps for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:36:58 PDT 2009 Reverting changes due to 
build stamps for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:37:14 PD? 2009 Cleaning staging area for 
FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:37:14 PDT 2009 Preparing to copy files 
into staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 2o [IZ:37215 PD 2009 Copying data files into 
staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:43:23 PDI 2009 Copying metadata files into 
staging area for FreeBSD/amd64 7.1-RELEASE-p7 

Wed Aug 26 12:43:25 PDT 2009 Constructing metadata 
index and tag for FreeBSD/amd64 7.1-RELEASE-p7 


Files found which include build stamps: 
kernel |generic|/GENERIC/hptrr.ko 
kernel |generic|/GENERIC/kernel 
world|base|/boot/loader 
world|base|/boot/pxeboot 
world|base|/etc/mail/freebsd.cft 
world|base|/etc/mail/freebsd.submit.cf 
world|base|/etc/mail/sendmail.cf 
world|base|/etc/maill/submit.cft 
world|base|/lib/liberypto.sa, 5 
world|base|/usr/bin/ntpg 

world |bace|/Usr/ inclide/osreldate hi 
world|base|/usr/lib/libalias.a 
world|base|/usr/lib/libalias cuseeme.a 
world|base|/usr/lib/libalias dummy.a 


world |bace|//usr/ lib/libalias ftp.e 


Values of build stamps, excluding library archive headers: 


wile “(Aug 26 2009 162 13546) 

Vle2 (Aug 26 2009 Tesi :44) 

Q@(#) FreeBSD 7.1-RELEASE-p7 #0: Wed Aug 26 18:11:50 UTC 
2009 


FreeBSD 7.1-RELEASE-p/ #0: Wed Aug 26 18:11:50 UTC 2009 


root@server.myhost.com:/usr/obj/usr/src/sys/GENERIC 


7.1-RELEASE-p7 
WedeAug 26 1 joo IS Ure 2ZO09 
Wed Aug 26 17:29:15 UTC 2009 


##### built by root@server.myhost.com on Wed Aug 26 17: 


AD2 50 -0TC 2009 


##### built by root@server.myhost.com on Wed Aug 26 17: 


AQ; 50 UTC 2009 


##### built by root@server.myhost.com on Wed Aug 26 17: 


AQ; 568 UTC 2009 


##### built by root@server.myhost.com on Wed Aug 26 17: 


40550 UEC 2009 

Wed Aug: 26-1): 20739 ULC 2009 

ntpa 4.2.4p5-a Wed Aug 26 1/:29:342 UTe 2009 (1) 
~ Copyrughe (e) 1992-2009 Tae PreeBsSD Project. 

Wed Aug 26 17320739 UlC 2009 

Wed Aug? 261 jr 297350 UL 2009 

Aug 26 2009 

ntepd 4.2.4p5-a Wed Aug 26 17:29:41 UTe 2009 (1) 

nipdate 4.2.4p5—a Wed Aug 26 1/229:42 UTC 2009 (1) 

ntpde 452.405-4a Wed Aug 2o.1/229:42 Ure 2009 (1) 

Wed Aug 26 17:55:02 UTC 2009 

Wed Aug 26 1/2 53202 UiIG 2009 

Wed Aug 26 17:55702 UTC 2009 

Wed Aug 26.1 ):20739 UL 2009 
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Listing 9. Building a patch 


New updates: 

kernel |generic| /GENERIC/kernel.symbols|f|0|0|0555|0|7c8dc176763£96ced0a57£fc04e7c1b8d793£27e006dd13e0b499e1474ac47el0 | 
kernel |generic|/GENERIC/kernel|£|0|0|0555|0|33197e8cf15bbbac263d17£39c153c9d489348c2c534f7call120al1183dec67bl | 

kernel |generic|/|d|0|0|0755]|0| | 

src |ibase|/ |d/0)|0| 0755) 0] | 

ere [oan polo o | 075s 0/4 

src cad |)/ | |0)) C0755: @)) | 
src|contrib|/contrib/bind9/bin/named/update.c|£]0]/10000|0644/0|4d434abf0983df9bc47435670d307fa882ef 46b348ed8ca90928d25 
Of42ea0757 | 

S¥e (Contrib ||/contrib/bind9/ lib; dns/openssldsa lank. c| £|0)/10000)/ 06440 |eces0ses9ridarza0Gdd3tlo3t2oc3 4ade92dacd9a2d97 9c 
Oacc88d736324f550 | 

src|contrib|/contrib/bind9/lib/dns/opensslrsa link.c|f£|0/10000|0644/0|fa0f7417ee9da42cc8d0 fd96ad24e7a34125e05b5ae075b 
dees23erle07Za7 Z| 


FreeBSD/amd64 7.1-RELEASE update build complete. Please review 
the list of build stamps printed above and the list of updated 
files to confirm that they look sensible, then run 
# sh -e approve.sh amd64 7.1-RELEASE 


tO Sign the build: 


Listing 10. Approving a build 


# sh -e scripts/approve.sh amd64 7.1-RELEASE 





Wed Aug 26 12:50:06 PDT 2009 Signing build for FreeBSD/amd64 7.1-RELEASE 

Wed Aug 26 12:50:06 PDT 2009 Copying files to patch source directories for FreeBSD/amd64 7.1-RELEASE 
Wed Aug 26 12:50:06 PDT 2009 Copying files to upload staging area for FreeBSD/amd64 7.1-RELEASE 

Wed Aug 26 12:50:07 PDT 2009 Updating databases for FreeBSD/amd64 7.1-RELEASE 

Wed Aug 26 12:50:07 PDT 2009 Cleaning staging area for FreeBSD/amd64 7.1-RELEASE 


The FreeBSD/amd64 7.1-RELEASE update build has been signed and is 


ready to be uploaded. Remember to run 
# sh -e umountkey.sh 
to unmount the decrypted key once you have finished signing all 


the new builds. 





Tips Adding flags to anything other than SRV 01 80 host2.myserver.com. 
make buildworld and make obj may SRV 00 80  host3.myserver.com. 
lf you build your own release using cause the build to become unreliable. 
the native make release, freebsd- Create a_ firewall rule to block Please read the source 
update-server code will work from outgoing RSI packets. Due _ to documentation. It contains valuable 


your release. AS an example, you 
may build a release without ports or 
documentation and add a custom 


a bug noted in this posting, http: 
//unix.derkeilercom/Mailing-Lists/ 
FreeBSD/stable/2009-04/msg 


information that will allow you to utilize 
all features of the software. 


kernel. After removing functionality 00365.html, you will have many time- Afterword 

pertaining to the documentation outs and fail to update a system. This FreeBSD Update article, found at http: 
Subroutine and altering the Create an appropriate DNS SRV //www.experts-exchange.com/articles/ 
buildworld() Subroutine in scripts/ record for your update server, and put OS/Unix/BSD/FreeBSD/Build-Your- 


build.subr the freebsd-update-code will 
successfully build update code on this 
release. 

Add make -3  wumpBer tO scripts/ 
build.subr tO Speed up processing. 


others behind it with variable weights. 
This effectively creates update mirrors. 


_AUCUp._ Cep.update.myssrver., com, IN 


ORV 


O 2 80 hostl.myserver.com. 
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Own-FreeBSD-Update-Serverhtml, 
originally published at Experts-Exchange 
(htto://www.experts-exchange.com). 
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WEBHOSTINGBUZZ.COM 


Visit www.webhostingbuzz.com 
to see all plans or order 


Shared Hosting 


FreeBSD powered shared web 
hosting with a free domain name 
and cPanel control panel. Perfect 
for smaller websites and prices 
from $4.95 per month 


750GB disk space 
15000GB bandwidth 

1 Free Domain Name 
24 x 7 phone, chat and 
helpdesk support 


from $7.95 per month 


800.252.1887 






Virtual PTET TS Servers 


Full Control: Root access, power 
on/off/reboot at any time. 

Choice of operating systems 
including FreeBSD 

Dedicated Resources: Guaranteed 
share of CPU and RAM 

Scalability: Buy only the resources 
you need now, and upgrade them as 
demand increases with virtually 
limitless capacity 


CPU 1Ghz Guaranteed 
512MB RAM Guaranteed 
50GB Disk Space 
FreeBSD 


$34.95 per month 


i 
Y 


a 
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sales@webhostingbuzz.com 


HOSTING 


Without he’ Dark Side 
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Dedicated Servers 

Our completely customizable range 
of Managed Services allows you to 
focus on running your business, 
while knowing a team of IT 
professionals are hard at work 
managing your IT environment. 


- Dedicated servers to fit any budget 
- Fully managed clusters 
¢ High availability 


Dual Xeon 5520 
8GB RAM 

2x 1.5TB HDD 
FreeBSD 


$549 per month 
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Using OpenBSD and 


PF as a Virtual Firewall for Windows 





Pedro Lereno 


This article describes how to protect a Windows host with a basic configuration of an 
OpenBSD virtual machine with PF as a NAT router and firewall. 


ith the increasing usage of third-party networks The Windows firewall, by default, has many open ports to the 

(like hotel networks and wireless hotspots) people local network, like the file and print sharing service ports, which 

are increasingly putting their Windows laptops are the source of many security holes. Some malware changes 

at risk. When we connect to unknown networks, settings on the Windows firewall and hides those changes. There 
we lose the protection of our home NAT router or enterprise is nothing better than a different OS in the middle to keep track 
firewall. of our network traffic. 


+- Local Area Connection Properties 
General | Authentication | Advanced | General | Authentication | Advanced | 
Connect using: Connect using: 
| I Broadcom NetXtreme 57xx Gigabit C | BB Broadcom NetXtreme 57xx Gigabit C 
This connection uses the following items: This connection uses the following items: 
fata tenet eine || 3 NetProbe Packet Driver 


) {B) Voware Bridge Protocol C) WF Network Monitor Driver 
LJ = Deterministic Network Enhancer [] = Internet Protocol (TCPAP) 


Install... Properties | 


Description Description 
Allows your computer to access resources on a Microsoft Allows your computer to access resources on a Microsoft 
network. network. 


I¥ Show icon in notification area when connected IV Show icon in notification area when connected 
IV Notify me when this connection has limited or no connectivity IY Notify me when this connection has limited or no connectivity 





Figure 1. Unselect all items except VMware Bridge Protocol Figure 2. Be sure to unselect Windows TCP/IP 
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Because of that a new kind of device 
has been born: portable travel routers. 
With that in mind, why not create our own 
travel router inside our laptop. 

After reading the great article from Prof. 
Vassilis Prevalakis from Drexel University 
in Philadelphia (http://www.prevelakis.net/ 
Papers/VirtualFirewall.pdf), | decided to 
build my own virtual firewall. 


Preparing the Host Machine 

First we need to install ad new VMware Server 
virtual machine. After the machine is built 
and configured with the correct hardware 
interfaces we can deploy to other hosts with 
the lightweight VMware Player. 

| have chosen VMware because of 
my experience with it. | didn’t try this setup 
with other virtualization products but | think 
it will work in the same way. 

To get VMware go _ ‘to _ http:// 
www.vmware.com, select Products and 
VMware Server (a free virtual server). To 
download the product you have to register. 
Once downloaded, install VMware. 

In order to make your Windows host 
invisible to the outside world, configure 
your Windows network adapter with only 
the VMware Bridge Protocol selected 
(Figure 1). Be sure to unselect Client for 
Microsoft Networks and Internet Protocol 
(TCP/IP) (see Figure 2). 

On Vmnetl, configure the default 
gateway and the DNS servers. The default 
gateway will be the IP address of the host 
only interface (vic1) of the virtual machine 
(VM). The other interface of the VM is 
bridged with the real interface (Figure 3). 
The Vmnet8 Windows interface may be 
disabled. 

The host only interface connects only 
to the host; the bridged interface is shared 
with the physical interface. 

We can check the Windows IP 
configuration with the command ipconfig: 

Ethernet adapter VMware’ Network 
Adapter VMnett1: 


Connection-specific DNS Suffix 
IP Address. 
? 192,168 .21.1 
Subnet Mask . 
t 2oo,295~e259e0 
Default Gateway . 
¢ 192.1 ee yz .2 












WINDOWS HOST 





Figure 3. Virtual scenario: Windows host connected to NAT router 





VMware Infrastructure Web Access (lereno@rangelxp) - Mozilla Firefox 


File Edit View History Bookmarks Tools Help 


Gmc xa 


|2) Most Visited 4 Getting Started ©. Latest Headlines 











https: //rangelkp :8333/ui/#{e:"HostSystem |ha-host", w:{t:true, i:0}} 








ai) ¥Mware Infrastructure Web Access (lereno@rangelxp) 


Help | Virtual Appliance Marketplace | Log Out 














































































































ngeldom.pt 
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& pfser 
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: - fenes uBine — Learn More. 
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Figure 4. VMware Server: Virtual Machine creation 


eeu Create ¥irtual Machine D4 


Pages 
Name and Location 


Guest Operating System 


























Select the operating system you plan to install in your virtual machine. 
Your selection will be used to recommend settings and optimize 
performance. 


Guest Operating System 


Memory and Processors 


Once the virtual machine has been created, you will need to install this 


Hard Disk operating system from your own installation disc. 


Properties 
Operating System: © Windows operating system 
Novell Netware 
Solaris operating system 


Network Adapter 


Properties 


© Linux operating system 
(* Other operating systems 


Other (32-bit) 7 


Product Compatibility 


CD/DVD Dnve 


Properties 





Version: 


Floppy Drive 


Properties 


USB Controller 











Figure 5. VMware Server: Guest Operating System selection 
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Pages 








Name and Location 
Guest Operating System 





_ Help 





~ 


Memory 


Increasing a virtual machine's memory allocation can improve its 
performance but may also impact other running applications. 


Size: | 128 | MB 


| Memory and Processors 


Recommended Size (256 MB) 


Recommended Minimum (32 MB) 
The guest operating system may not start up below this size. 


Recommended Maximum (8192 MB) 


Memory swapping may occur above this size. 


Processors 


Select the number of processors carefully. We do not recommend 
reconfiguring this value after installing the guest operating system. 


Count: Bi wv 








Figure 6. VMware Server: Virtual Machine memory and processor 


Kd Create ¥irtual Machine 


- 
| Pages > 
Name and Location 
Guest Operating System 
Memory and Processors 


Hard Disk 


|| Properties” 





a) 


Location: 





File Options 


Disk Mode 


Policies 





40.17 GB available 


¥irtual Device Node 


How much software and data should this hard disk be able to store? 


Capacity: | 2 | ca lw 


_ [standard] PF/PF.vmdk || Browse... | 














Name and Location 
Guest Operating System 
Memory and Processors 


Hard Disk 
Properties 


Network Adapter 


CD/DVD Drive 





Figure 8. VMware Server: Virtual Machine network connection 
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Properties — 





Network Connection: 


Connect at Power On: 





f Bridged 


v! Yes 












Which network will your virtual machine access? 
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There is no IP configuration on the external 
interface. 


Installing VMware Server 

Open VMware Infrastructure Web access 
and authenticate with your Windows 
account. Go to Virtual Machine menu 
and select Create Virtual machine (see 
Figure 4). 

Give a name to this virtual machine (in 
this example it was PF) 

Select the operating system: Other 
operating System: Other (32-bit) (see 
Figure 5). 

Select memory size 128 MB, use of 1 
processor (see Figure 6). Create a new 
virtual disk with 2 GB (see Figure 7), 
default settings. Add Network Adapter, one 
network connection bridged (Figure 8). 
Use the CD physical drive, or the ISO image 
to install the operating system (install45.iso 
from htto://openbsd.org). Don’t have floppy. 
The USB controller might be useful to 
direct connect USB network interfaces (for 
example 3G modems). After finishing this 
wizard, go to the virtual machine summary 
page and on the right side menu select 
Add hardware, select network adapter and 
then choose network connection HostOnly 
(see Figure 9). 

This is the summary of the created 
virtual machine (see Figure 10). Power On. 


Installing OpenBSD 

| have chosen OpenBSD and PF for the 
virtual appliance because of the strong 
security of the OS and the easy to 
understand commands of PF (for those 
used to Cisco, these rules are familiar). On 
the listing 1 you can see the installation of 
OpenBSD. Pay attention to the interface 
cards IP addresses. The system has only 
one system partition and the swap for an 
easy install and understanding. 


Installing Some Tools 

and PF Configuration 

Uncomment the following line of the file of 
/etc/sysctl.conf by deleting the #: 


net.inet.ip.forwarding=1 
This option permits the traffic flow between 


the two interfaces. We are not considering 
using multicast and ipv6, but if necessary, 


Using OpenBSD and PF as a Virtual Firewall for Windows 


uncomment those lines too. Activate PF in 


jete/rcwcont.lecal, 
pf=YES 


Restart to activate the changes. Add the 
following line to /etc/hosts file: 
192316822151 localpe 


Install these packages that can be useful for 
monitoring network traffic from the intemet. 


# export PKG PATH=ftp:// 
ftp3.usa.openbsd.org/pub/OpenBSD/4.5/ 
packages/i386 

# pkg add pftop 

# pkg add ntop 


If you are familiar with top for process 
management, these tools work in the 
same format and can be useful to track 





Listing 1. OpenBSD installation on the Virtual Machine 


choose install (1) 


Terminal type vt220 


network connections and firewall activity. 
This is an example of a very simple 
p£.conf configuration: 


/etc/pf.conf 

Scrub in 

nat on vicO from vicl:network to any 
=> vic 

block an. all 


pass in on vicl 
Testing the firewall rules: 
#pfctl -nf /etc/pf.conf 
adding the rules: 


#pfctl -vf /etc/pf.conf # Vv-verbose 


output 


We are blocking all incoming traffic from 
the external interface, permitting traffic 


Symbolic imame Or vrel or aint 


Do you want to change the media options? no 


keyboard mapping, in my case was pt 
Procced with install? yes 

Which one of the root disk? sd0 

Use all disk for OpenBSD 

an) 

offset: [63] 

size: [4192902] 256m 

Rounding bo cylinder: 530032 

FS type: [swap] 

> a a 

offset [530145] 

size [3662820] 

FS type: [4.2BSD] 

mount point: [none] / 

7q 

Write new label?: y 

Are you really sure that you are ready to proceed? yes 
System hostname? PF 

Configure network? yes 

Available interfaces are: vic0O vicl. 
Which one do you wish to initialize? vic0 
Symbolic name £0r vic? pi ext 


Do you want to change the media options? no 





IPv4 address for vic0? dhcp 











IPv6 for vicO? none 
INVATLILAIOILS SLINEEIFIEACSS aicSe Wale - 


Which one do you wish to initialize? vicl 


Pw acclicess aceie wael? 192,168.21 ,2 
Netmask? 255,255.255.0 


UPS izehe YALE? inome 


DNS domain name? 





from opendns) 


Use the nameserver now? yes 

Default IPv4 route? dhcp 

Edit host with ed? no 

Do you want to do any manual network configuration? no 
Password £Or Toor account? 

Location of the sets? cd 

Which one contains the install media? cd0 

Pathname to the sets? 4.5/1i386 

Set name? done (leave the default) 


Ready to install sets? yes 


Locations of the sets? done 

Start ssh by default? yes 

Start nipa by default? no 

Do you expect to run X Windows system? no 
Change the default console to com0? no 


What timezone are you in? Portugal (choose your own) 


halt 


unplug the iso cd 


Valea ee arleee lamkinve 


(put yor default domain) 
DNS nameserver? 208.67.222.222 208.67.220.220 (example 





from the internal interface, and making 
NAT. Now we have access from our 
internal Windows host to the outside 
world. We can try nmap from the outside 
to check for open ports. 


Connect to the 

Corporate VPN 

Our corporate firewall is a Cisco 
ASA. Our remote teleworkers connect 
through Cisco VPN client software. To 
resolve this problem while not opening 
unnecessary holes in our virtual firewall, 
we use the package vpnc. Installing the 
package: 


#export PKG PATH=ftp://ftp3.usa.open 
bsd.org/pub/OpenBSD/4.5/packages/i386 


#pkg add vpne 


Use a new pf configuration (NAT has 
changed because of VPN): 


(point to physical) and reset your 
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eu) Add Hardware Wizard 


| Pages ~ || Properties 7 








Hardware Type 


Network Adapter 








rca 


Which network will your virtual machine access? 


Network Connection: 


Connect at Power On: 





HostOnly 








v) Yes 








Figure 9. VMware Server: adding hardware to the Virtual Machine 


Hardware 


8 7 Processors 1 


vy Memory 128 MB 


G2 v Hard Disk 1 (SCSI 0:0) 2,00 GB 


wD, Network Adapter 1 Bridged 


BD . Network Adapter 2 HostOnly 


@ ~ cb/ovD Drive 1 (IDE 1:0) Using file install45.iso 


© ~ scsi Controller 0 


LSI Logic 





Figure 10. VMware Server: Virtual Machine hardware 
configuration 


set skip on lo 

set skip on tun0 

scrub in 

Nat on tun0 from 1 (tunQ) to any —> 
(tun0) 

block. an. Log ali 

pass on tun0Q 


pass from {100, vicl:network, vic0O} to 


any keep state 


Fill the file /etc/vpnc/default.conf with your 
Cisco VPN client access profile. Start the 
vpn: 


WINDOWS HOST 





#vpnc 


#ifconfig tunO mtu 1452 


The default mtu size for tunO is 1414, this 
is sufficient if our host was the virtual 
appliance, but is insufficient for the NAT’ed 
host before (Figure 11). 

You can see the encrypted 
network traffic with command: 


lpsec 


#tcpdump -e -ttt -n -i vic0 
Or the unencrypted traffic: 
#tcpdump -e -ttt -n -i vicl 


Conclusion 
This method is not as safe as having an 
external device, but it is safer than many 
default router configurations with, for 
example, Universal Plug-and-Play (UPnP) 
enabled. 

We can make it a lot safer from 
unexpected Windows behavior, by using 
a non-admin account without privileges 


Concentration 





Figure 11. VPN encapsulation on the Virtual Router 
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¢ The Virtual Firewall -— _ Vassilis 
Prevalakis —  www.prevelakis.net/ 
Papers/VirtualFirewall. pdf 

¢ Firewalling with OpenBSD's PF 
packet filter — Peter Hansteen — http: 
//www.bsdly.net/~peter/pf.html 

ais User Guide http:// 
www.openbsd.org/fag/pf/index. html 

¢« Pfsense — http:/www.pfsense.com/ 


to change network interfaces and VMware 
Authentication service to boot the VM as 
a non-Administrator account. 

Those not familiar with command- 
line configuration of PF can use Pfsense. 
Pfsense is a_ FreeBSD | distribution 
customized for routers and firewalls with 
a nice web interface to manipulate PF 
rules. After booting the ISO live image 
available on VMware Server or using the 
VMware appliance in VMware Player, we 
choose le0 (bridged) to WAN interface 
and le1 (host-only) to LAN, then all the 
configuration is done on the browser. 

All of these examples were made 
with Microsoft Windows XP Professional 
(US English) as the host system and 
OpenBSD 4.5 in the Virtual Machine. My 
objective was to describe the preparation 
of the host system, the VM, and the way 
they interconnect step by step. Many more 
things can be done with PF that | didn't 
mention. Read the references for going 
deeper into PF. 

This can also be a good way to test 
complex firewall rules before applying 
them to the corporate firewall. Or, if you 
cannot get rid of your Windows desktop 
because of some applications, it is a good 
way to get the best of both worlds. 

| hope you enjoy the Virtual Firewall. 


ee 
ag 


Looking for help, tip or advice? 
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Keeping FreeBSD 


Applications Up-To-Date 





Richard Bejtlich 
Principal Technologist and Director of Incident Response, General Electric 


An important system administration task, and a principle of running a defensible 
network, is keeping operating systems and applications up-to-date. 


unning current software is critical when older services 

are vulnerable to exploitation. Obtaining new features 

not found in older applications is another reason to 

run current software. Fortunately, open source software 
offers a variety of means to give users a secure, capable 
computing environment. 

This article presents multiple ways to keep FreeBSD 
applications up-to-date. | use a FreeBSD 71 system, and 
Subsequent versions, to demonstrate how to install applications 
not included with the OS and how to keep those applications 
up-to-date. It is important to realize that this article discusses 
applications only; it does not discuss the OS. FreeBSD does not 
have a unified update mechanism for the OS and applications. 
By applications | mean software outside of the kernel and 
userland. For example, Debian systems can use the apt tool 
to keep the distribution and packaged applications up-to-date. 
FreeBSD does not have a single equivalent tool, so this article 
only addresses keeping applications up-to-date. 

In this article | do not differentiate between an update and an 
upgrade. | will use the term update to describe any action that 
changes the version of an installed application. 

| chose FreeBSD 71, released in January 2009, as my 
starting point because applications for it offer a security history 
Suitable for describing multiple update cases. At the time of 
writing FreeBSD 72 is the latest STABLE release and 8.0 is now 
available. Readers wondering why someone might want to install 
an old OS version can imagine that there might be an application 
Supported only on FreeBSD 71 and not yet officially ready for 72 
or 8.0, prompting an administrator to run a 7.1 box. 

All of the work done in this article was done remotely 
via OpenSSH. One danger of performing remote upgrades 
is losing connection during a critical phase of the process. 
One software-based way to deal with this issue is to 


conduct all remote upgrades within a screen(1) session. 
(htto://www.reshports.org/misc/screen) Should you _ lose 
connectivity during the upgrade while running screen, your 
session will continue uninterrupted. The screen(1) program has 
suffered security problems in the past, so balance its features 
against the possible risks. 

My advice on administering this reference platform is based 
on deploying FreeBSD on servers, workstations, and laptops 
since 2000. The article represents a mix of my interpretations 
of official FreeBSD documentation, inputs from mentors, and the 
result of my own experimentation and deployment strategies. 
This guide cannot be anywhere near a complete reference on 
keeping FreeBSD up-to-date or maintaining a secure system. 
| strongly recommend reading the excellent FreeBSD Handbook 
as well as the multiple helpful published books on FreeBSD. 


FreeBSD Handbook and 
Absolute FreeBSD 2nd Ed 


Please note that Chapter 4, Installing Applications: Packages 
and Ports, is the authoritative source for information on keeping 
FreeBSD applications up-to-date (http://wwwfreebsd.org/doc/en/ 
books/handbook/ports.html). The reason | wrote this article was to 
show how these various mechanisms apply in practice, and which 
| prefer in production. | must also recommend Michael W. Lucas’ 
excellent book Absolute FreeBSD, 2nd Ed (No Starch, 2008). 
Several other excellent FreeBSD writers have produced books, but 
Michael's is my favorite. For deeper coverage on the topics in this 
article, please see the Handbook or Michael’s book. 


A Common Linux Experience 

FreeBSD’s application installation, maintenance, and removal 
process is sometimes confusing to those with a Linux background. 
For purposes of a brief comparison, | will demonstrate how to 
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it soon. To see if the installed packages has a security vulnerability that requires 
have any vulnerabilities, install and run a patch. We'll address ways to fix that in the 
Portaudit (see Listing 3). We see that Curl following sections. 


install the Curl application on a Debian 5.0 
host using the apt-get tool. For authoritative 
documentation on using APT, please see 


http://www.debian.org/doc/manuals/apt- 
howto/. To install Cur, the user simply enters 
apt-get install curl (see Listing 1). 

That is easy enough! 


Simple Package Installation 

on FreeBSD 

FreeBSD users can install Curl using 
a similar method (see Listing 2). 

First we set a proxy for our environment. 
The -v switch permits seeing verbose 
output. The command to install the Curl 
package on FreeBSD from a remote 
package repository requires the -r switch. 
You can see the location from where the 
package was retrieved in this output: 
document: [/pub/FreeBSD/ports/i386/ 
packages-7.1-release/Latest/curl.tbz] 
...edited... 

Fetching ftp://ftp.freebsd.org/pub/ 
FreeBSD/ports/i386/packages-7.1- 


release/Latest/curl.tbz... 


If you visit the FIP server and look at the 
directory, you'll see that curl.tbz is really 
a symlink to the following: 


ftp://ftp.freebsd.org//pub/FreeBSD/ 
ports/i386/packages-7.1-release/All1/ 
eurl=-7. 13.0 .rbz 


The packages-7.1-release directory means 
that the package curl-7.18.0.tbz is the 
version of the package built for the release 
of FreeBSD 71, as was shipped on CD. 
Newer versions are available remotely and 
| will describe how to acquire those later. 

The pkg info command shows the 
Curl package is now installed. | issue the 
rehash Command to ensure that curl is in 
the path for the users shell. 


Listing 1. Installing curl on Debian using apt-get 


shuttle02:~# uname -a 


ihainux shuteleo2 256.26-l-686 41 SMP Fri Mer 12 18708545 UTC 2009 12686 GNU7 


ineinra yee 


shuttle02:=-7 apt-get install curl 

Reading package lists... Done 

Building dependency tree 

Reading state information... Done 

The following extra packages will be installed: 
Ca-certiticates dabcurl3) Tibssh2—1 openssl 

The following NEW packages will be installed: 
Ca-cCertiticaces curl labeurl3) Ivossn2=l openss | 

O upgraded, 5 newly installed, 0 to remove and 1 not upgraded. 

Need to get 1687kB of archives. 

After this operation, 4133kB of additional disk space will be used. 

EV7nlee yy 


Get:1 http://http.us.debian.org stable/main openssl 0.9.8g-15+tlennyl 


Do you want to continue 
[1036kB] 
Get:2 http://security.debian.org stable/updates/main libcurl3 7.18.2-8lenny3 
[228kB] 

Get:3 http://http.us.debian.org stable/main ca-certificates 20080809 [151kB] 
G6etc4 Http://http.us.debian.org stable/main libssh2-1 0.18-1 [64.3kB] 
Get:5 http://security.debian.org stable/updates/main curl 7.18.2-8lenny3 
[208kB] 

Fetched 1687kB in 1s (1290kB/s) 

Preconfiguring packages 

Selecting previously deselected package openssl. 
(Reading database ... 51192 files and directories currently installed.) 


Unpacking openssl (from .../openssl 0.9.8g-15+lennyl i386.deb) 


Selecting previously deselected package ca-certificates. 
Unpacking ca-certificates (from .../ca-certificates 20080809 all.deb) 
Selecting previously deselected package libssh2-1. 

Unpacking Ibssh?—i “(from ...7/ lubssi2—-1 0. 18-1 1336.dep) 
Selecting previously deselected package libcurl3. 
Unpacking Tibcurl? (from .../libcurl3 7.18. 2-clenny3 138¢.deb) 
Selecting previously deselected package curl. 

Unpacking curl (from .4../curl) 7.18 .2-8lennys 1386. deb) 
Processing triggers Lor man-db 2... 


Setting up openssl (0.9.8g-15+lennyl1) 


Setting up ca-certificates (20080809) 
Checking for Vulnerable Updating certificates in /etc/ssl/certs....done. 
Packages with Portaudit Running hooks in /etc/ca-certificates/update.d....done. 
FreeBSD’s Portaudit tool is the easiest way | setting up libssh2-1 (0.18-1) 


to determine if any installed packages 
have security vulnerabilities. Portaudit 
relies on the FreeBSD VuXML site (http:// 
www.vuxmlorg/freebsd/) for knowledge of 
vulnerable packages. Don't worry about the 
term port vs. package right now; I'll address 





Setting up Libeurls (7.1ce.2-slennys) 


Setting up curl (/.le,Z2-cllennys) 
shuktleOQ2:~F which curl 


JUST] bin / ear I 
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Listing 2. Installing curl on FreeBSD using pkg_add 


freebsd/# uname -a 
FreeBSD freebsd/7.localdomain 7.1-RELEASE FreeBSD 7.1- 
RELEASE #0: Thu Aug 20 11:24:04 EDT 2009 root@freebs 


@/.tocal domain: 7st / Ob] / ust/SiC/67s/ FREEBSD) “2366 


treebsa/# setenv BITP PROXY Neto ;7/172. 16.2.1: 3128 


ELSeDSC) 7 O6Ge edd =v curt 





scheme: Lite 

cies [ ] 

password: |] 

host. [ftp.freebsd.org] 

POL: [0] 

document: [/pub/FreeBSD/ports/i386/packages-7.1-release/ 


atest, curl. tb7] 





scheme: Lacie 

ESer. ea 

password: [] 

Hoste: Dl eG az sal] 
POLrt: [3L264 
document: [/] 


SS I oa le lh 

Pook ime ime alii 2 6 2 21. 

Connect ined. to: loo. -hesize 

requesting ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/ 
packages-7.1-release/Latest/curl.tbz 

>>> GET ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/ 
packages-7.1l-release/Latest/curl.tbz HTTP/1.1 

Po> HOSt: fLtp.treebpsd.org 

>>> User-Agent: pkg add libfetch/2.0 

Soe Conmecteron: close 

SoS 

<<< HTTP/1.0 200 Gatewaying 

<<< Secvyer: Squid/2.7/-STABLEG 

<<< Mate: Mon, 24 Aug 2009 19:52:19 GME 

<<< @oOmtent—-lyoe> bext/plain 

<<~ Conmcenr—Lengih: VOes797 

content length: [10e3sZ97 | 

<<< Last-Modified: Mon, 08 Sep 2008 10:45:09 GMT 
last modified: |_2006-09-0s 10:45:09] 

<<< X-Cache: MISS Erom 1Z00a. tacsecurity.com 

ax Wiad 0 PZ 00a tacsecurity (come 3b25 (squid 
241 sS TABLES) 

<<< Connection: close 

ete 

Ofiser 0. lengri <l,) size -—l,clengen 10383297 
Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/ 
packages-7.1-release/Latest/curl.tbz... 

x tPCONTENES 

x +COMMENT 

x) DESC 

oie Dili 


x Man/manl/ecurl gz 


2. edi Ced.. 2% 
x share/examples/curl/synctime.c 
tar command returns 0 status 
Done. 
extract: Package name 1s curl=7.18.0 
extract: CWD fo /usr/ local 


extract: /usr/local/man/manl/curl1.dqz 


-.-edited... 

extract: /usr/local/share/examples/curl/synctime.c 
extract: execute '/sbin/ldconfig -m /usr/local/lib' 
exXErack?. Gwls to 


RunnInG) Mares Por cum) ks Wn. 

miree -U -£ +MIREE DIRS -d -e -p /usr/local >/dev/null 
Attempting to record package into /var/db/pkg/curl- 
Mielec 0 or. 

Package curl-7.18.0 registered in /var/db/pkg/curl- 
Telse0 

Erecbsd 7 6G 17 re 
Gumi es 0) Non-interactive tool to get files 


from FTP, GOPHER, HTTP(S) 
freebsd7# rehash 


Listing 3. Installing portaudit on FreeBSD 


PLeecbso/; PRO ada —2 per tauqit 

Fetching ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/ 
packages-7.1-release/Latest/portaudit.tbz... Done. 
===> To check your installed ports for known 
vulnerabilities now, do: 


jus / hocal/sbin/portaudit -Frda 


freebsd/7# rehash 


freebsd7# portaudit -Fdav 


Attempting to fetch from http://www.FreeBSD.org/ports/. 
auditfile.tbz MOOS OF 

Sy Ce keeps 

New database installed. 

Database created: Mon Aug 24 15:10:03 EDT 2009 

Affected package: curl-7.18.0 (matched by 
Curl>=5-11<7.19.4) 

Type Of problem: curl —— cURL/libcURL Location: Redirect 
URLS Security Bypass. 

Reference: <http://www.FreeBSD.org/ports/portaudit/ 


5d433534-f41c-402e-ade5-e0a2259aT7cb6.html> 


1 problem(s) in your installed packages found. 


You are advised to update or deinstall the affected 


package(s) immediately. 
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FreeBSD Package Repositories 

It is important to understand what 
version of packages are made available 
through the FreeBSD project. Visiting ftp:// 
fto.freebsd.org//pub/FreeBSD/ports/i386/ 
shows whats available for the i386 
platform. (The FreeBSD team also regularly 
builds packages for the amd64 platform, 
see Listing 4) 

For the purposes of our system 
(running a version of FreeBSD 7x), we care 
about the packages- /* directories. 

Earlier we installed Curl and it was 
retrieved from the packages-/1-release 
directory. The packages- 72-release directory 
is likely to contain a newer version of Curl 
since 72 was released months after 71. If we 
check that directory, we find cur1-7.19.4.tbz 
is available, with a build date of Apr 21. 

Looking back at our Portaudit output, 
we see that the 719.4 is not vulnerable 


(matched by curl>=5.11<7.19.4) 


Lets remember that for now, but also look at 
the other packages-/* directory, packages- 
7-stable. In that directory we find curi- 
7.19.6 1.tbz available, with a build date of 
Aug 22. That version is also not vulnerable. 

So what does packages- /-stable mean? 
That directory contains the latest packages 
built for FreeBSD 7x. If you're thinking that 
you might want to install packages from that 
site on a regular basis, you are right. I'll cover 
that soon. For now we want to know how to 
update Curl to a newer version. 


Updating Packages 

by Deletion and Addition 

Deleting an installed package and adding 
a new version is one way to update 
a package. The easiest way to accomplish 
this goal is to change to the /var/db/ 
pkg directory and use the pkg delete 
command (see Listing 5). 

With Curl deleted, we can add the new 
version. For demonstration purposes we'll 
add the version shipped with FreeBSD 
72 RELEASE. To tell pkg ada how to get 
that package, we set the PACKAGESITE 
variable (see Listing 6). 

Curl is now _ installed. Notice that 
a dependency, was also 
installed. If we rerun Portaudit, the vulnerability 
should be eliminated (see Listing 7). 


ca_root_nss, 
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That process seems simple enough. 
However, it is probably not convenient 
to delete and add every package on 
a system when the administrator wants 
to update the packages. To run a more 
automated update system, we have to 
turn to the FreeBSD ports tree. 


Introducing 

the FreeBSD Ports Tree 

Thus far we have worked with FreeBSD 
packages. They are convenient, but they 
do not independently support an update 
mechanism. The reference against which 
packages are compared to determine 
their freshness is the FreeBSD ports tree. 
On our reference FreeBSD 71 system, we 
installed the version of the ports tree that 
shipped with FreeBSD 7.1 RELEASE. 

The FreeBSD ports tree can be 
found in the /usr/ports directory (see 
Listing 8). For the purposes of this article, it 
is sufficient to know that FreeBSD ports are 
a framework upon which application source 
code is installed on a FreeBSD system. 


Listing 4. pub/FreeBSD/ports/i386 directory listing 


2006 
ie 
2008 
Zale 
2008 
13342 
ZA 
Te 0a 
00232 
2008 
2008 


Geir 23 symbolace “Lianik 


Aug 24 Directory 
Now 321 Directory 
Aug 22 Directory 
Dec 22 Directory 
May Directory 
Aug 20 Symbolic Tam 
Aug 24 Directory 
Aug 18 Directory 
Feb 9 Symbolic Link 


Man il Symbolic Tank 


EESebsd) 7 (pkg taro 
curly oe) 

BEPP (Ss) 
pOrbraudiE—U.5.12 
vulnerabi 
freebsd7# cd /var/db/pkg/ 
freebsd7# Ils 

curl=7 io.) 

freebsd/# pkg delete curi-7.18.0/7 
hese pyc inne 
poOrmavdilE=O. 5.12 


vulnerabi 





packages -> packages-stable 
packages-6-stable 

packages-6.4-release 

packages-7-stable 

packages-7.1-release 
packages-7.2-release 

packages-8-current -> packages-8-stable 
packages-8-stable 

packages-9-current 

packages-current -> packages-8-current/ 


packages-stable -> packages-7-stable 


Listing 5. Removing a FreeBSD package with pkg_delete 


Non-interactive tool to get files from FTP, 


Checks anstaliled perts sqains: a list or Securmey 


Checks anstalled ports against a list of Security 


Updating 

the FreeBSD Ports Tree 

The easiest way to update the FreeBSD ports 
tree is to use Colin Percival’s Portsnap tool 
(htto://www.daemonology.net/portsnap/), 
now shipped with FreeBSD. First run portsnap 
fetch to download a compressed version of 
the FreeBSD ports tree needed by portsnap 
(see Listing 9). 

In the future, we do not need to 
rUN portsnap extract. Instead, we run 
portsnap update. 

With the FreeBSD ports tree installed, we 
can use the pkg_ version tool to check what 
packages need to be updated. This checks 
for any update, not just security updates as 
we saw with Portaudit (see Listing 10). 

As we can see, two of our packages 
(Curl and Portaudit) have newer versions 
available. 


Reading /usr/ports/UPDATING 


Itis important to read /usr/ports/UPDATING 
before invoking Portupgrade. We have not 
done so yet because these examples have 


GOPHER, 
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Listing 6. Installing a newer curl package using pkg_add 


freebsd/# setenv PACKAGESITE ftp://ftp.freebsd.org//pub/ 
FreeBSD/ports/i386/packages-7.2-release/Latest/ 


PLECDSO (7 Prorado —=7) Gauri 





scheme: [fi | 

eens [ J 

password: [] 

iN@isie: [f£tp. freebsd.org| 

Port: [0] 

document: [//pub/FreeBSD/ports/i386/packages-7.2- 


release/Latest/curl tb | 





scheme: eee] 

PSen. el 

password: [|] 

iOst: Peele Oct ile 
DOriEt Pade 
document: [/] 


So oe a ols 

ooic ienicy to wil seems nt el 

Connecting Eo L726. li 28 

requesting ftp://ftp.freebsd.org//pub/FreeBSD/ports/ 
1386/packages-7.2-release/Latest/curl.tbz 

Soo Gh ftp: //ftp. freebsd. org//pub/PreeBsD/ ports/1386/ 
packages-7.2-release/Latest/curl.tbz HTTP/1.1 
>>> HOSE: Ltp.freebsd.org 

>>> User-Agent: pkg add libfetch/2.0 

>>> Connection: close 

oo 

<<< HTTP/1.0 200 Gatewaying 

<<< Server: squid/2. /.slABLEo 

<<< Date: Mon, 24 Aug 2009 20:00:58 GMT 

<<< Content-Type: text/plain 

<<< Content-Length: 1097934 

content length: [1097934] 

<<< Last-Modined: Mon, 13 Apr 2009 21:16:46 GMT 
laste modamed: (2000-04-13 21218746] 

<<< X-Cache: MISS £Erom 1Z200a. tacsecurity. com 
<<< Vila? 1,0 £200a,tacsecurity «coms 3iZ2e (squid 
2,1. o TABLEG) 

<<< Connection: close 

a 

Oriser O07; length -l, size -—-1, clengren 1097934 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7.2-release/Latest/curl.tbz... 

x +tCONTENTS 

x +COMMENT 

x +DESC 

eT MIREE DIRS 

then / manly eile os 

pepedieed 5. 

x share/examples/curl/threaded-ssl.c 

Ean COMMand returns OU Seats 


Done. 


Package wewrl (2 loed) depends on Vea TOOEmnss 9. lo! 


Wath "Security/ca root nss origin. 





scheme: piste 

Sei. [ J 

password: [] 

ngs: [ftp.freebsd.org] 

Derk: [0] 

document: [//pub/FreeBSD/ports/i386/packages-7.2- 


release/All/ca root mss-3.11.79°2.1tbz | 





scheme: [nip] 

Sete [ J 

password: [] 

ier sies ey eG | 
DOLTE: [S23 | 
document: [/] 


a iG eal hee 
ieokung wo) 2 olGa Zl 
COnnecEing tO LyZelG.2cdeoi2s 
requesting ftp://ftp.freebsd.org//pub/FreeBSD/ports/ 
1386/packages—/.2-release/All/ca Foot mss-3.11.9 2.tbz 
>>> GET ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages—/ jZ-rellcase/All/ca roor mes-3. 11. 92 tbr Hire yd 
Poe HOSt. fepattecosc.org 
>>> User-Agent: pkg add libfetch/2.0 
eo > Commecceion: close 
SS 
<<< HTTP/1.0 200 Gatewaying 
<<< Server: squid/2.7-SITABLES 
<<< Date: Mon, 24 Aug 2009 20:01:02 GMT 
<<< Content-Type: text/plain 
<<< Content—-Lengren: 1/2602 
Content length: [172602] 
<<< Last-Modified: Mon, 13 Apr 2009 21:00:07 GMT 
last modiiied: [2009-04-13 21200207] 
<<< X-Cache: MISS £Erom rZ200a.taosecurity.com 
<<< View 1.0 ©200astacsecurity com: 3128 isquid/ 
Z2/ <S TABLES) 
<<< Connection: close 
ae 
oLirset 0, length =1, size —L, clengra 1/2602 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
Dackages-7.2-release/All/ca root mes-3.11 09 2.tbz.7., 
x tCONTENTS 
xX +COMMENT 
x DESC 
= MIRE Dis 
x share/cCerts/ca—-roolt—nss. ert 
tar command returns 0 status 
Done. 
Pat ishec i Oadingecas TOO Wes jelly 2 sover irr 
extrace; Package Mame as Cayroor mes 3. lilo 2 


SxErace. SOW “to. 7 er local 
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Listing 6. Installing a newer curl package using pkg_add (cont) 


extract: (usr, local) share) certs) Ca-1 oct nes. cre 
exprace] WD Mico 
RUMMINC, MELeCe EGE ca root mse — so lig) 2. 


mires -U'=£ +MIREE DIRS -d -e -p /sr/local >/dev/null 


ACLeMpEING tO “ecord package inte /var/db/pkg/cCa root mss—3, 1.9 2... 


Package. Ca root mss—-3.11.9 2 registered in) /var/db/pkg/ca root mss-2.1l.9 2 


(eae roc Mean blo 7 Walloaded saecesshulily. 
extract: Package name is curl-7.19.4 
extract; CWO to /usr/ local 
extract: s/ usty, loeal/Man/manl, curl i .gqz 
eee LTS piece 
extract: /usr/local/share/examples/curl/threaded-ssl.c 
extract: execute "/sbin/ ldcontig =m /usr/ local, 1ib* 
Screech. eNO 
RUnMInG mires for curcl=/,19 42. 


Mires —“U' =f +MIREE DIRS -d =e" -p /ust/ local >/dev/null 


Attempting te record package inte /var/db/pkg/curl-7.19.4.. 


Trying to record dependency om package ‘ca root mss-3.11.9 2" with "security/ca root mss’ origin. 


Package curl-7.19.4 registered in /var/db/pkg/curl-7.19.4 


PLeeciead7 7 kG Tmo 


Ca oOu 11ss]55.129 2 ine Toot pcerrineate bundle Erom the Mozilla projec: 


Cla le al 
POrEaualt=Un a. dZ 


Listing 7. Portaudit output shows curl is no longer vulnerable 


freebsd7# portaudit -—Fdav 


Attempting to fetch from http://www.FreeBSD.org/ports/. 


Non-interactive tool to get files from FTP, GOPHER, HTTP(S) 


Checks installed ports against a list of security vulnerabi 








auditfile.tbz 100. Of 57 kB 69 kBps 
New database installed. 
Database created: Mon Aug 24 15:40:01 EDT 2009 
O problem(s) in your installed packages found. 
Listing 8. FreeBSD ports tree 
freebsd7# ls /usr/ports 
.cvsignore aimee emulators mbone shells 
CHANGES archivers finance mise SysueEiis 
COPYRIGHT ASeELO french multimedia textproc 
GIDs audio Pe net ukrainian 
INDEX-7 benchmarks games net-im vietnamese 
KNOBS biology german net-mgmt www 
LEGAL cad graphics net-p2p iy 
MOVED chinese hebrew news sil elocks 
Makefile comms hungarian palm xll-drivers 
Mk converters abe polish Slim 
README databases japanese ports-mgmt Siilofomes 
Templates deskutils java portuguese xll-servers 
oaks devel korean print xli-themes 
Uns distfiles lang 1 x ios Salem Mt Eool kis 
UPDATING dns mail science x1ll-wm 
accessibility editors math security 
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been fairly simple. However, there may 
be information in /usr/ports/UPDATING 
that could recommend different actions 
depending on the ports of interest. From 
now on, consult /usr/ports/UPDATING after 
you upgrade your ports tree and before 
you invoke Portupgrade. 


Installing Portupgrade 

The FreeBSD Portupgrade program 
(http://wikifreebsd.org/portupgrade) is a 
powerful tool that offers the ability to 
update packages using only packages. 
Portupgrade is a bit heavy in the sense 
that it requires installing Ruby as 
a dependency, whereas other options do 
not require such dependencies. However, 


Listing 9. Updating the ports tree with portsnap 


freebsd7# portsnap fetch 


Looking Wp porksnap.FreeBSD.org murrors... 
Fetching public key from portsnap2.FreeBSD.org... 


Fetching snapshot tag from portsnap2.FreeBSD.org... 


Fetching snapshot metadata... done. 
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other options do not seem to have the 
ability to dictate installing packages 
instead of building from ports. 

We'll install Portupgrade from the /7- 
stable package collection by setting the 
appropriate environment variable and then 
invoking pkg add. When we start we have 
only 3 packages installed (see Listing 11). 

After adding Portupgrade, we have 7 
packages installed. You can see the Ruby 
and Berkeley DB dependencies installed 
by Portupgrade. 


Updating Packages Using 
Portupgrade 

With Portupgrade installed, we can use 
the portversion tool to determine what 


3 MLieweeies ieeEHiAcl. 
done. 


done. 


Fetching snapshot generated at Sun Aug 23 20:41:07 EDT 2009: 


e4a063906c569ab6d82cdc053dda2ced013f53d80723ef4100% of 


OOm00s 

BMEraCring Snapshot... done. 
Verifying snapshot integrity... done. 
Fetching 
Fetching snapshot metadata... done. 
Updating 
done. 


Fetching 4 metadata patches... 


Applying metadata patches... done. 


Fetching 0 metadata files... done. 
Fetching 
done. 


Applying patches... 


Fetching 2 new ports or files... done. 
freebsd7# portsnap extract 
fuse/ports/ <evsigqnore 
/usr/ports/CHANGES 

/ast/ pores / COPYRIGHT 

Can CC Sel 5.4 

/use/ ports /xlil/zenity/ 
Building new INDEX files... done. 
Listing 10. Using pkg_version to check for updates 


bLecbsd) 7 Pio VereLon. =v 


Ga rOOt, mes sli 7 = 


euiel=7 19.4 


A 


perraudierO . 2 12 < 


Snapshot tag Erom portsnap2.FreeBSD.org... 


30 PalecChes 2 you: A eet Oa et es oO eee 


59 MB. 359° keps 


done. 


From Sun Aug 23 20:41:07 EDT 2009 ta Mon Aug 24 13752:56 EDI 2000. 


done. 


up-to-date with port 
needs Upear ing (POLtr lass 7.19.6 1) 


néeds updating (port has 0.5.13) 
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packages need updating (see Listing 12). 
If we just want to see packages that need 
updating, we run portversion -v -1 "<", 

When we run portversion, we see it 
builds a package database (pxgab), then 
a ports database (portsab) for its own 
use. We could have used pkg version to 
produce the same output (see Listing 13). 

So, with this information, how can we 
update packages that need updating? 

The following advice is based on my 
personal preferences, but when updating 
packages | prefer to use packages, 
not compiling from source code, when 
possible. (I'll discuss alternatives later) The 
following example will update the packages 
for which newer version are available. 

First we set proxy and PACKAGESITE 
variables, and then we invoke Portupgrade 
(see Listing 14). 

When done, we can see the packages 
have been updated (see Listing 15). 

So what just happened? Portupgrade 
found that Curl and Portaudit were out-of- 
date. It downloaded the newest packages 
from the packages-/-stable directory on 
a remote FreeBSD FIP server, uninstalled 
the out-of-date package, and installed the 
up-to-date package. 

If you noticed in the Portupgrade 
Output, the program stores copies of the 
packages it downloads in the /usr/ports/ 
packages/All directory. 


freebsd7# ls /usr/ports/packages/All 


curl=/;,19.0 1.062. portatidict-0.55.15.tbz 


By specifying the -a switch we _ told 
Portupgrade to update all packages. The 
-v switch enabled verbose mode. The 
-pp Switch told Portupgrade to only use 
packages, and it retrieved those packages 
from the public FreeBSD package 
repository. 

There are other ways to_ invoke 
Portupgrade, such as telling it to only 
update individual packages, and then 
update their dependencies, and so on. 
| prefer this simpler approach of updating 
everything that requires it. 


FreeBSD Package Dependencies 
Dependencies are packages which are 
required in order to run other packages. 
We can use the pkg info Command to 
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Listing 11. Installing portupgrade using pkg_add 


Preebed)7 eon tro 

Cay LOOu Miss osteo Ine oor cerriiicare bundle from tiie 
Mozilla Project 
emi ee. Non-interactive tool to get files 
from FTP, GOPHER, HTTP(S) 

POLrEauait=O 53i7 Checks installed ports against a 
list of security vulnerabi 

freebsd/7# setenv PACKAGESITE ftp://ftp.freebsd.org//pub/ 
FreeBSD/ports/i386/packages-7-stable/Latest/ 


freebsd pro add =v pol eupgrade 





scheme: Liep | 

Seite: [ J 

password: [] 

Osi: [ftp.freebsd.org] 

DOr: Rey 

document: [//pub/FreeBSD/ports/i386/packages-7-stable/ 


Latest/portupgrade.tbz] 





scheme: Cieee] 

aser: [ J 

password: [] 

Oeics Oe yl 
Porirs [3173 
document: [/] 


ome los Zale 
Oe eaenieh oo ML erellGe Ze Wl 
Sonnecrind toe LiZalo.7. isa ize 
requesting ftp://ftp.freebsd.org//pub/FreeBSD/ports/ 
1386/packages-7-stable/Latest/portupgrade.tbz 
>>> GET ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/Latest/portupgrade.tbz HTTP/1.1 
>>> HOSts ftp. treebsd ord 
>>> User-Agent: pkg add libfetch/2.0 
>>> Connection: close 
wane eC bedi 5 
RUNNING Meree Bar DOLeupgrade—-7.4.6 3,2. : 
meres —V =f 4IMIREE DIRS —d —-e —p /usir/ local >/dev/nult 
Attempting to record package into /var/db/pkg/ 
POLEuporade—7.4 0 S720 
ht yinG) tO record cepencdeney "On packages filby— ie] wlG0 
4," with “leng/rubyie’ origin. 
Pt ying) eo record, dependency “on package “db4l—4 Zo 
with 'databases/db41' origin. 
Trying to record dependency on package 'ruby18-bdb- 
066.501" wath "databases, ruby-bdb" origin, 
Package portupgrade-2.4.6 3,2 registered in /var/db/pkg/ 
POLEUDO rads —7274 6. S72 
Pin Alk PRGDEP Secricn an pkgeools cont file £or 
portupgrade 
be aware of alternative dependencies you use. 
Wa 
Ai eee Oi S14 


'www/apachel3' => 'www/apachel3-modssl"', 
iOrLMeE/GhOSEScript=-qnu' => “primt/gGhestscript—-qpi', 

} 

Note also, portupgrade knows nothing how to handle 
ports with different 

Sumixes. (i gi -nOxil). So you should explicitely 
define variables 

(E.g. WITHOUT Xll=yes) for the ports in /etc/ 
make. Conk or pkgtools .cont 

(MERE ARGS secre hom) uies 
freebsd7# rehash 
Ereebsd/7 pkG Ineo 
Ca rooe moo [> Vil 97 ine oct cerciticale bundle Erom tire 
Mozilla Project 
eur lv, ho 24 Non-interactive tool to get files 
from FTP, GOPHER, HTTP(S) 
dba Aa 1.25 4 
Ae 


The Berkeley DB package, revision 
PevrraudiiE- O22 512 Checks installed ports against a 
list of security vulnerabi 

portupgrade-2.4.6 3,2 FreeBSD ports/packages 
administration and management tool s 
tuby— le. 1o0r4a) iy Am tob eel -Orlenred interpreccd 
scripting language 
buby le odp Osc. 5 ly hubby Simtertace to sleepycat's 


Berkeley DB revision 2 or lat 


Listing 12. Using portversion to check for updates 


freebsd7# portversion -v 

[Rebuilding the pkgdb <format:bdb btree> in /var/db/pkg 
= | Packages Pound “(a0 7) oso he done] 

[Updating the portsdb <format:bdb btree> in /usr/ports 


= 20616 POrr ene riles Owns. aes AION [0 ater entree ee 200 
US escort ha an SOO ated ae BONO a oy tee 2 her OCW ee teens 6000 
WRC apoke rks WAIN are sca eneee gee Wi Oe pa es SOO wews rar cell) 
Sees eae OOO ea ee ee eleO 0) 
Pe oaer gerne SOOO ls create eee AO) ee ene OO OO erase nore cee OU) 
PORT rate UTOOOs pie hace OOO) 
meaty eee NOOO ae Sean taken 2 OO ae A ee ALO 


Carooe Ness ibs. 7 = UD-LO-dace With Port 
Cut eae 
(eens aioe ls) 


db41-4.1.25 4 = 


needs updating (port has 


Up-to-date with port 
perraudie= 0.2.12 < 
Oe oles) 


needs updating (port has 
DOILUpgrade—2. 470. 3,2 = up-to-date with port 
ruby. 8. /2 boO 24, I = up-to-date with port 


ruby es =db—026e ou i = up-to-date with port 
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Listing 13. Using pkg_version to check for updates 


brecbsqi7 pPrg Vvers2L0on =v 
Ga OO sn Ss — lao 2 = pr teOsdete WEEN pore 
Cur 72 OA 


db41-4.1.25 4 = 


— Needs Updacing (port has j/21976 71) 
up-to-date with port 
Dev ravdiEaO* 2.12 < 


needs updating (port Nas 025:;15) 


POLrtupgtade 2.4.60 93,2 —— Up-Losdale With pore 
ruby-l28. 7.160 4, = up-to-date with port 
tuby lesodb—0 26.5. 1 = up-to-date with port 

Listing 14. Updating old packages with new packages using portupgrade 
greebsd?# setenv HITP PROXY http://172.16.2, 123128 
freebsd/# setenv PACKAGESITE ftp://ftp.freebsd.org//pub/ 
FreeBSD/ports/i386/packages-7-stable/Latest/ 

freebsd7# portupgrade -vaPP 

Session started at: 25 Ao 2009 09:26759 —0400 


aa cue; 


---> Checking for the latest package of "ftp/curl' 

** No such file or directory -— /wsr/ports/packages/All 
===> Fetching the package(s) for “curl-7.19.6 1" 9 (tep/ curl) 
aaa eC inner Clute) eno. al 


++ Will try the following sites in the order named: 


ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/ 


=--> Invoking 4 commend: /usr/bin/fetch -o '/var/ 
Dips, 


ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/ 


timp/ portupgradeRvou4wil/curl—-7.19.6 1.tbz" 


PAS oie ay OO ail eb 7,! 


(ver / tmp) portupgradeRvOuj4wily curli—7.19.6 1. tbzle0; or Lips 


kB 2824 kBps 
=e = Pownleaded as cupila/ 719260 tz 
---> Identifying the package /var/tmp/ 
POrtupgradeRvouj4wil/curil—7 219.6 itz 


=-=> oaved ae: /llet, porte, packages/ AVI/curl— 7.19.0 1.eb2 


---> Listing the results (+:done / -:ignored / *:skipped / !:failed) 


TAU le ice Ieee alk 


---> Packages processed: 1 done, 0 ignored, 0 skipped and 0 failed 


=-—-> Fotind 4 package of 'fto/curl': /usr/ports/packages/ 


iA Bosch lke yl ChAvcrmllcisto rsa (eieucalies yi ilecina cy ab) 


==-> hoeated a package version 7.19.6 1 (/usr/portcs/ 


Packages, AllilL/curil—7], Loo7 1 tbz) 


---> Upgrade of ftp/curl started at: Tue, 25 Aug 2009 09:29:18 -0400 


=== WeChading: Vou 7. ody to Ven la wale ee rep) 
curl) using a package 

---> Updating dependency info 

=——  Uminstaliigtaonm oF sourl= 7, 1o A starcedvaks ue. 225 


Rag 2009 092297 0s 04200 





---> Fixing up dependencies before creating a package 
==>" Backing up the old version 

ra=> Uninstalling the wld sversion 

mero Deinsraliine: “curi= 7.1.9.4! 

---> Preserving /usr/local/lib/libcurl.so.5 as /usr/ 


ieee) Iie / Conmpsit/ pkg; lilbeurils so. 5 
[Updating the pkgdb <format:bdb btree> in /var/db/pkg 
Ce dict i) a  tacerra) 


- 6 packages found done} 


===> - Unimetallation of curl-7/.19.4 ended ate Tue, 25 Aug 


2009 09:29:34 —0400) (consumed 00:00:15) 


==—> installation -o1 curl ).19.6 1 starved als fue, 25 
Aug 2009) 09:29:34 —0400 

---> Installing the new version via the package 

---> Removing temporary files and directories 

---> Removing old package' 

Sao (ietallarion-Or seul fio ao leended ati lue, 25 Fug 
2009" 09:29:38 —0400 (consumed 00:00:04) 


---> Cleaning out obsolete shared libraries 


[Updating the pkgdb <format:bdb btree> in /var/db/pkg 
C= Qossea.) 


= 7 packages f£ound done ] 


=-—->) Upgrade of ftp/cuil ended at: Tue, 25 Aug 2009 00: 
29:49 -0400 (consumed 00:00:30) 

===> *~— Upgrade tasks 2: l done, 0 agqnored, 0 “skipped and 
O failed 

---> Checking for the latest package of 'ports-mgmt/ 
POrLaudint " 

==> Merctwing the package (Ss) £or 'porvaudit-0. 5.13" 


(ports-mgmt/portaudit) 
==—-> » Perchind Oortaudie-0.5. 13 
++ Will try the following sites in the order named: 


ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages- 


7-stable/ 
=---> Invoking 42 command: /usr/bin/fetch -o "/var/tmp/ 
portupgradeY3svilos4H/poertaudme—U 5. US tbz "fips, / 


ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-7-stable/ 
Ally portanvdit—-O25. [3 bo7 
/@ar/ EmO/ pOrtupgradeyevilosdh/portaudilt—0.5.13.1005 of 
kB 1842 kBps 
==——> - Downloaded @S portaudit-0.5,13.tbz 
---> 
POrrandii=Us S213 orig 
---> Saved as /usr/ports/packages/All/portaudit- 
Ores clo eee 
---> listing the results (+:done / -:ignored / *:skipped / !: 
failed) 

- pOrrauadie-Uro.is 
---> Packages processed: 1 done, O ignored, 
O failed 
=--> Found a package of "ports-=momt/portaudit": /usr/ports/ 
packages /All/portaudit—0.5.13.tbz (portaudit-0).5.13) 


===> thocated a package version 0.5.13 (/usr/ports/ 


packages/Alil/portaudit—-0. 5.13 .tbz) 


---> Upgrade of ports-mgmt/portaudit started at: Tue, 25 
Aug 2009 09529759 70400 

===. UPGuadind  DObEatdLE=U so. ko “pOmtata iia’) oi 5! 
(ports-mgmt/portaudit) using a package 

---> Updating dependency info 

===>. Uninstallation- Of poOrtaudir-OU.9.12 Started ati Tue, 


Zo Aud 20039 0922307 00) =0400 


---> Fixing up dependencies before creating a package 
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O skipped and 
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Listing 14. Updating old packages with new packages using portupgrade (cont) 


=——> Backing wo “che old version 
=-—-—-— SUnanstca ll lang che Old version 
aoe Wernsicealsing. sperrceal alii Oe oe, eae 


The portaudit package has been deleted. 

Le you"’re “not upgrading and won't be using 
it any longer, you may want to remove the portaudit database: 
rm -Rt ~/Vvar/ db; portaudit 


[Updating the pkgdb <format:bdb btree> in /var/db/pkg 


= 6 packages found (-1 +0) («.;.) done] 

=--=- JUninSstallation- Of portance —-0.S..12 ended aks. lie, —25 
Aug 2009 09:30:20 —0400 (consumed 00:00:20) 

=== “Installation Of POLraudii- US. lS started ak: Tue, 25 
Aug 2009 09: 30.20 -0400 

---> Installing the new version via the package 

---> Removing temporary files and directories 

===> |Removang Old package’ 

=--- s Installation Or (pPOrraucie-U ao. 5 ended ars, lie, 25 


Aug 2009 09730:22 —0400 (consumed 00:00; 01) 


---> Cleaning out obsolete shared libraries 


[Updating the pkgdb <format:bdb btree> in /var/db/pkg 


= | packages found (-0 +1) done ] 


---> Upgrade of ports-mgmt/portaudit ended at: Tue, 25 


Aug 2009 09: 30731 —0400. (consumed 00; 00732) 
---> ** Upgrade tasks 2: 2 done, 0 ignored, 0 skipped and 0 failed 
---> Listing the results (+:done / -:ignored / *:skipped / !:failed) 
+ ftp, curl enrle 7 pil 24) 
+ pOris—-mgmt/portaudit (portaudLe=0.5. 12) 
---> Packages processed: 2 done, 0 ignored, 0 skipped and 0 failed 


===> ‘Session ended at: Tue, 25 Aug 2009 09:30:40 -0400 


(consumed 00:01:40) 


Listing 15. Portversion shows packages as up-to-date 


freebsd7# portversion -v 


Cay bOOt Miss. eda =. Up=to-date WLEN Dore 
CULTS Toc L = up-to-date with port 
db41-4.1.25 4 = up-to-date with port 
POrrauaili=O. S13 = up-to-date with port 
POTEUDG rads —2.4.6 S72 = up-to-date with port 
PubyS See bod i = up-to-date with port 
ruby lee bpdie—0 625 1 = up-to-date with port 


Listing 16. Installing pkg_tree 
PLeebsd] 7 piGvada —2 pho Eree 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/Latest/pkg tree.tbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages—/—-stable/All/perl—5.8.9 3.tbz.... Mone. 
Removing stale symlinks from /usr/bin... 
Skipping /usr/bin/perl 
Skipping /ust/bin/perl5 
Done. 


CLeauing Valious <Vilanke ine / Wen, im. 


Svinimmkiing */ wer / Vocal io /perls.68, 9 EO 7 usr/bin cer ll 
Symlinking /lsr/ local /bin/perls.8.9 to /usr/bin/ perils 

Dene: 
Cleaning up /etc/make.conf... Done. 
Spamming /etc/make.conf... Done. 
Cleaning up /etc/manpath.config... Done. 
Spamming /etc/manpath.config... Done. 
Listing 17. Running pkg_tree 
Ereepsdi] eg e sec 
CaSlocn ess. lage. 
Curis (y.9705 1 

Nees Coooe mess allo 
db41-4.1.25 4 
Perl joc 30. 3 
pko trees al 

We pperia=a 829.2 
Porraldit—U, 5.12 
POLUULDGrade—7 24.6. 3,2 

[Ve ruby as Floor a 

|\ db41-4.1.25 4 
Neuville ode 0. 6.5.01 
nubyoles. lou a) i 
ruby le-pdb—026.5 1 

| SSeeLUOy eli eoie lod yal 


\ db41-4.1.25 4 


Listing 18. Installing mutt and updating pkg_db 


Ereepsd/7 Peo aga =F muce 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/Latest/mutt.tbz... Done. 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages—/—-stable/All/urlvicw—-0.9 2 .tbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/ispel1-3.3.02 4.tbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/mime-support-—-3.46.1.tbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-—7-stable/All/png-1.2.38.tbz... Done. 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/pcre-7.9.tbz... Done. 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-—/-stable/All/ilibicony—-1.13.1.tbez... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/Mbslang2—-2.1.4 1. tbz...) Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/ 
packages-7-stable/All/gettext-0.17 1.tbz... Done. 
freebsd7# pkgdb -vu 

===> Updating the pkgqdb 

[Updating the pkgdb <format:bdb btree> in /var/db/pkg 
(=0 +9) 


- 18 packages found done] 
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Listing 19. Failing to remove pcre because of dependencies 


freebsd7# pkg deinstall pcre-7.9/ 
===> Deinstalling "pere—7.o* 
Dkotdelete: package {pere—-(. o> ts wequiwed oy these obthen packages 
and may not be deinstalled: 
ibstangZ-2. 1.4 i 
MEL a2 
x* Tisting the failed packages (-:ignored / *:skipped / !:failed) 
D pere=7..9 (Okg detere failed) 


Listing 20. Removing mutt and its dependencies using pkg_deinstall 


freebsd7# pkg deinstall -R mutt-1.4.2.3 3/ 

=e S Deimstaiiing Mure ka oor 

Saas Wein St ad iGe rl lowe 9 eZ | 

[Updating the pkgdb) <formattbdo: biree> 1m. /var/db/pkg 2... = 17 packages found (—1) +0)). 1...) dome] 
aaa Deine t ailing al tios bang 227 

[Updating “the pkgdb <formattbdb: bDirree>- im /var/db/pko s.. — 16 packages. found (—1.40) 21...) done] 
=> Dems tealiling -perme= (oO! 

[Updating the pkgdb =<rormattbdo: Diree> an /var/db/pkg 2.. — 15 packages: found (—1) +0), (2...) done] 
=== Peiustalling “nime—suppork—3 46.1) 

[Updating the ~pkgdb <frormatctbdb Diree> 1m /var/db/pko 2... — 14 packages, found (—1 +0)" (4...) dome] 
>> -) Dennistealiing | png= il: 22.3 ! 

[Updating the pkgdb <formattbdo Diree> an) /var/db/pko 2... °— 13 packages: found (—1) +0)). (2...) dome] 
Soa Weel alli. Geneent sO aii ak! 

[Wpdating “the pkgdb <formattbdo: bDiree>- an /var/db/ pkg... 1— 12 packages. found (—1.+0) (4.2) dome] 
>  Pennsealiling a iaibuiconw—l wile! 

[Updating the pkgdb <formattbdo: Diree> an /var/db/pkg 2.. — ll packages: found (—1) +0) (2.2) done] 
Soa Wee celal ie aspelikss = se UZ 


[Updating the pkgdb <formatcbdb Diree> an /var/db/pko ....— 0 packages, found (=1 +0)" (2...) dome] 
[Updating the pkgdb <format:bdb btree> in /var/db/pkg = 0 packages found i=l +0)> (222). dome] 

Listing 21. Installning nmap and tcpflow 

LLecisai7 prol acd =. amap 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/Latest/nmap.tbz... Done. 

Fetching Etp:// ftp. freebsd.org/ /pulo/ FreeBSD] ports/ 1380/packages—/—-stable/All/pkg—conmtig-0.23 1. coz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages—-7-stable/All/lua-5.1.4.tbz... Done. 
Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/All/pcre-7.9.tbz... Done. 
PLeebsdi7 DkG ada —=2 Ecpiiow 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages—-7-stable/Latest/tcpflow.tbz... Done. 
freebsd7# pkgdb -vu 

=--=-., Updating the wkadb 

[Updating the pkgdb <formattbdb Diree> am -/var/db/pkg ».. — 14 packages: found (=O 45) y.%0 done] 

Listing 22. Installing pkg_cutleaves 

PLeebsd]7 PKG aca =— Prog vceul eaves 

Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/Latest/pkg cutleaves.tbz... Done. 
freebsd7# pkgdb -vu 

--=—-. Updating the ekoadb 

[Updating the pkgdb <formattbdo: Diree> am /var/db/pkg 2... — 15) packages: found (—U. 41). done] 


freebsd7# rehash 
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learn what packages a specified package Depends on: 





pkg_info to display the packages on which 


depends on. Dependency: ca root _nss-3.11.9 2 curl depends. The -x switch tellS pkg info 
to do a regular expression match, so we 

freebsd7# pkg info -rx curl Here we see that curl depends on the ca___ don’t have to list the whole package name. 

Information for curl-7.19.6 1: root_nss package. The -r command tells Does anything depend on curl? 


Listing 23. Using pkg_cutleaves to remove nmap and tcpflow and dependencies 


Lveebed/7 ono wee eaves 

Package 1 Of 7: 

Curl sl976 fe Non-Interactive tool ogee files Erom 
FTP, GOPHER, HTTP(S) servers 

curl-7.19.6 1 - [keep]/(d)elete/(f)lush marked pkgs/ 
(a) OLE 2 


peeping (eid iG ike 


Package Z of 7: 


nmap-5,.00 = Port scanning utility for large metworks 
nmap-5.00 - [keep]/(d)elete/(f) lush marked pkgs/ (a) bort? 
d 


A* Marking mmap-5.00 for removal. 


Package 3 of 7: 

Peo cCucleaves-Z00G0C 10S Imeeractive scrips Lor 
deinstalling 'leaf' packages 

pkg cutleaves-20090810 - [keep] /(d)elete/ (f) lush marked 
pkgs/ (4) bort? 

yy RSep hag PO cut leaves 70070307 


Package 4 of 7: 

Pkgeeceesi ie iy — Geta, Grapiieal” ~Eree—over lew OF 
installed packages 

pkg tree-1.1 1 —- [keep]/(d)elete/(f) lush marked pkgs/ 
(a) DOr? 


a RS epiMa Dd. bree = le Wilke 


Package & of 7: 

poOrtauditi-0.5.13 = Checks installed ports against a list 
of security vulnerabilities 

portaudit-0.5.13 - [keep] /(d)elete/(f) lush marked pkgs/ 
(aeons 


‘* Keeping poOreauc@dir 0.5.3, 


Package 6 of 7: 

portupgrade-2.4.6 3,2 - FreeBSD ports/packages 
administration and management tool suite 
portupgrade-2.4.6 3,2 -— [keep]/(d)elete/(f) lush marked 
pkas/ (4) bork? 

~RECDilg ,POLEUpotade—7 4.6 2,7. 


Package 7 Om -/: 
Ccolow 0. Zi =] A tools fer <apruring data transmitted as 
Dare of TCP connections 


tcpflow-0.21 1 - [keep]/(d)elete/(f£)lush marked pkgs/ 


(Fan lo@iiaiercmel 


“Mating tepilow-0. 2 fon removals. 


Deleting nmap-5.00 (package 1 of 2). 
Deleting vepilow—Ue Ze ba (paehage 2 2On eZ )7 


Go on with new leaf packages ([yes]/no)? y 


Package 1 of 2: 

lua-5.1.4 = Small, compilable scripting Language 
providing easy access to C code 

lua-5.1.4 - [keep]/(d)elete/(f) lush marked pkgs/ (a) bort? 
d 


** Marking lua-S.l.4 fer removal. 


Package 2 Of 2: 


pcre-7.9 - Perl Compatible Regular Expressions library 
pere-7.9 - [keep]/(d)elete/ (f£) lush marked pkgs/(a)bort? 
d 


~*~ Marking pere-/.9 £6r removal. 


Deleting lua-5.1.4 (package 1 of 2). 
Deleting pcre-7.9 (package 2 of 2). 


Go on with new leaf packages ([yes]/no)? y 


Package 1 of 1; 

DkG=counG- 023 I-A elit y co Tetrieve Viiimorheaclon 
about installed libraries 

pkg-config-0.23 1 - [keep]/(d)elete/(f)lush marked pkgs/ 
(ea eonmeee xe! 


wo tating (ko -conig 0.23 Iter removal. 


Deleting pkG=conio=0.25 i package ivor 1). 

** Didn't find any new leaves to work with, exiting. 
*x Deinstalled packages: 

iia. 4 

hnap=5 200 

pere-/ 29 

Dko=conmng-U=2 3.1 

ECpilow=O0 52 I ail 


*x Number of deinstalled packages: 5 


freebsd7# pkgdb -vu 

==--> ‘Updating the pkgdb 

[Updating the pkgdb <format:bdb btree> in /var/db/pkg 
= 0 packages found (=5 +0) (“(2..) done] 
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Building 





Looking Up poresmap. FreeBSD org Mirrors... 


Listing 24. Updating the ports tree with portsnap 


freebsd7# portsnap fetch 


3 mMiLiicorSs retinal. 


Fetching snapshot tag from portsnap2.FreeBSD.org... done. 
Fetching snapshot metadata... done. 

Updating from Mon Aug 24 13:52:56 BEDE 2009 co Tue Aug 25 07232223 EDI 2009. 
Fetching 4 metadata patches... done. 

Applying metadata patches... done. 

Fetching 0 metadata files... done. 

FeeCchang 32 patches. a0. Ore cn aren Uler -OeOmies 

Applying patches... done. 

Fetching 2 new ports or files... done. 

freebsd7# portsnap update 

Removing old files and directories... done. 


Extracting new files: 

{ust /POrts/ audio/gihkooed/ 
/usr/ports/databases/pgadmin3/ 
/usr/ports/devel/cvsnt/ 
/usr/ports/devel/git/ 
/usr/ports/devel/jude-community/ 
/usr/ports/devel/p5-local-lib/ 
/usr/ports/games/wesnoth/ 
/usr/ports/graphics/Makefile 
/usr/ports/graphics/mmrecover/ 
/ust/ports/graphics/rubygem-scruffy/ 
/usr/ports/mail/metal/ 
/ust/ports/net-mgmt/nagios-plugins/ 
Just /POrts/ mer) nes. ldapd/ 
/usr/ports/ports-mgmt/portmaster/ 
/usr/ports/security/fiked/ 
/usr/ports/security/swatch/ 

just /POrts/ Security /maixmil / 
(ust/ports/sysutils/e2tsprogs/ 
/ust/ ports, sysutiiks /Lipenk/ 

(ust) ports/sysutiils/ yirt wa limamn/ 
/ust/ports/textproc/ ansitilter/ 
fust/ports/ textporoc/ yodl/ 
/usr/ports/www/Makefile 
/usr/ports/www/apache22/ 
/usr/ports/www/elinks/ 
/usr/ports/www/galeon/ 
/usr/ports/www/gist/ 
/usr/ports/www/p5-Catalyst-View-JSON/ 
/usr/ports/www/p5-HTTP-Engine/ 
/usr/ports/www/pyweblib/ 

just) ports, <iil—oleeks, <dalicileck,/ 
(use) port s/xli/agdm/ 
/usr/ports/x11/gnome2-fifth-toe/ 


(Usty pores, xl xorg 


new INDI mless..., Come, 
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freebsd/7 pkg into -Rx curl 


Information. for curl=-/.19.6 1: 


The -r switch shows that nothing depends on 
curl. If we ran this command for ca_root_nss, 
however, we would see that curl requires it. 


freebsd/; pkg info -Re ca root ness 
Information Lor Ca root. mss-3. 11.9 2: 
Required by: 

Ciel 7 is Od. 


Another way to understand’ these 
relationships is to install the pkg tree 
package. From now on, when adding new 
packages, it helps to update the package 
database maintained by Portupgrade, 
using the pkgdb Command. 


freebsd7# pkgdb -vu 

---> Updating the pkgdb 

[Updating the pkgdb <format:bdb btree> 
in /var/do/pka <<< 
(=0 +2) 


- 9 packages found 


. done | 


If you forget to run pkgdb after installing 
a package, it’s not a big problem. Any time 
a tool in the Portupgrade suite is invoked 
(such as portupgrade itself, or other tools), 
the pkgdb will be updated. During the 
pkg_tree installation process we saw Perl 
installed as a dependency of pkg tree. 
Once installed, run pkg tree and tell it to 
show what packages curl depends on. 


freebsd/7 pkg tree curl 
Ciel 7 e192 6 


\.. Ba Poot. nes-3.1149-2 


Portupgrade presents a more complicated 
example. 


freebsd7# pkg tree portupgrade 
pOrtupgrade-2.4.6 3/72 
[\_ #uby-1.8.7.160. 4,1 
|\. db41-4.1.25 4 
\... #ubyl6-bdb-0.6.5 1 


We can go one step farther to follow the 
dependency chain using the -v switch. 


freebsd7# pkg tree -v portupgrade 
POrtuUpgrade-2 4.0 372 

|\_. Buby=-1.8.7.160-4,1 

|\ db41-4.1.25 4 


\. Bubyle—pdb-0.6.5. 1 
|\ ftby-1.8.7.160_4,1 
\ db41-4.1.25 4 


Now we see that Portupgrade depends 
on ruby, db41, and ruby18-bdb. However, 
ruby18-bdb depends on ruby and db41 
as well. Running pkg tree with no options 
shows all package dependencies (see 
Listing 17). Understanding dependencies is 
important, because FreeBSD wont let you 
delete a package when another package 
depends on it. We'll look at that next. 


Removing Packages 

For the following examples we add 
the open source text email client Mutt 
to our system. When you check Mutts 
dependencies, you find several: 


freebsd7# pkg tree mutt 

mutt-1.4.2.3 3 

|\.. urlview-0.9 2 

|\.. ispel1-3.3.02 4 
|\.. mime-support-3.46.1 
|\_. Pag=—1l.<2e38 

|\.. pere-7.9 

|. dibiconv=1.,13.1 
|\ dibslang2-2.1.4 1 
\_ gettext-0.17_1 

If you try to delete, say, the pcre package, 

the attempt will fail. 


freebsd7# pkg delete pcre-7.9/ 
pko delete: package ‘pers-/.9" 3s 
required by these other packages 
and may not be deinstalled: 

Ii bsleng2-2s1.4 1 


mutt-1.4.2.3 3 


If you try using the pkg deinstall tool 
shipped with Portupgrade, it will also fail 
(see Listing 19). This is a strength of using 
the packages system, not a weakness. We 
don't want to break the system by removing 
a package on which others depend. What if 
we decided to remove Mutt? We could check 
what depends on it uSINg pkg_info Again. 


freebsd/# pkg into -Re mutt 


InNEOERMatIOnN. Lor murt=1.4.243 3% 


Nothing depends on Mutt. So, if we wanted to, 
we could simply delete it using pkg_deinstall 
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Listing 25. Updating the portsdb used by portupgrade 


freebsd7# portsdb -u 


[Updating the portsdb <format:bdb btree> in /usr/ports Se -eZ0GlS pert 
Sniries found aang: HNOIOI S retenn cree ZOWURRS Saat BOUOs aaa AEOOIOS a aereavinucen aes S000. 
OOO a wanna. OO Oe ea eee tae SOCIO eae leak eee OO OO ah dtereeteade OOOO ecuers se veccnes 11000 
AZ ODIO oc rer soe are ES OOO ere a aces LOCO, eye, ehsehs TS WOOn ate ee WOO Rese eee terere 17000 


Listing 26. Removing curl using pkg_deinstall 
ELecbsai 7 pho Geist a! Pak eed 
San we Ded sical WaiaiGpe euiel hoe Ge) 
So> (Deine aiaing,. ca tOCm Messe IZ 

[Updating the pkgdb <format:bdb btree> im /var/db/pkaq ... — 9 packages found 
(= SO) rela s)he cone] 

[Updating the pkgdb <format:bdb_ btree> in /var/db/pkgq ... — 8 packages found 
(=150) Cees) done] 

Listing 27. Finding the screen port in /usr/ports 
freebsd7# cd /usr/ports 


freebsd7# make search name=screen 





in ep COLECGO. 2% 

Port: Screens 035 

Path: /usr/ports/sysutils/screen 

kOe A multi-screen window manager 

Meatinitt cy@FreeBSD.org 

B-deps: 

R-deps: gericext-C.17 i Mibicgonvsiels.. cexinfole il 
WWW: http://www.gnu.org/software/screen/ 

ieee LUMCatedic. 


Listing 28. The screen port is located 
reebsd7# cd /usr/ports/sysutils/screen 
freebsd7# 1s -al 


EO 22 

Geyw nar 3 root wheel 52 Aug 24 16:46. 
drwxtr-xr-x. Sly poot “wheel. 179Z0-Aug 25 0737 

Seite eee 1 root wheel 2366 Feb 23 2009 Makefile 
Se a ea 1 root wheel 19S Ocu 26 200Gedistinte 
Gey tcp 2 root wheel 512 Aug 24 16:46 files 
Were ae 1 root wheel 504 Dec 27 2002 pko-descer 
Wee 1 root wheel 853 Aug 30° 2004 pkog-plist 


Listing 29. Running make showconfig for screen 
freebsd/7# make showconfig 


——= Pe to llowing, Conigurat lon OpElons ele vavallanle for -scceen—4 055 76: 


CJUK=OFF (default) "Treat CJK ambiguous characters as full width" 
INFO=ON (default) "Build and install info documentation" 
MAN=ON (default) "Build and install man pages" 


NETHACK=ON (default) "Enable nethack-style messages" 


ERM 236-OPE  (detanilt js "hnable suppose ror 256 colour 2rermn" 


HOSTINLOCKED=OFF (default) "Print user@host in locked message" 


SHOWENC=OFF (default) "Show encoding on the status line" 


===> Use 'make config' to modify these settings 
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Or pkg delete. However, when we installed 
Mutt, it brought 8 dependencies along with it. 
Wouldnt it be good to remove those as well? 
We can use the pkg deinstall Command 
with the -r switch for that purpose (see Listing 
20). We've now completely removed Mutt and 
the packages on which Mutt depended. 


Identifying and Removing 
Unwanted Packages 

For the purposes of the next example, 
| install Nmap and _ Tcpflow (see 
Listing 21). Lets imagine that a while 
passes, and later we'd like to perform some 
housecleaning on our installed packages. 


Listing 30. Results of running make showconfig for screen port 


freebsd7# ls /var/db/ports 


SiCic SS 


freebsd7/# ls /var/db/ports/screen/ 


Options 


freebsd7# cat /var/db/ports/screen/options 
# This file is auto-generated by 'make config’. 
# No user-servicable parts inside! 

# Options for scréen-4.0.3 6 
DOETIONS READ —Screen-4 0.35 © 

WITHOUT CJK=true 

WITH INPO=true 

WITH MAN=true 

WITH NETHACK=true 

WI THOUD, XTERM 2 56=true 

WITHOUT HOSTINLOCKED = true 

WITHOUT SHOWENC=true 


Listing 31. Running make for the screen port 


freebsd/# make 
——— ) POUNd save0. conmguralton 2Or-screeu—4 2023.6 

=> screen-4.0.3.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 

=> Attempting to fetch from ftp://ftp.uni-erlangen.de/pub/utilities/screen/. 
screen-4.023.tar.gz IMO2 on 3207 kE S62 kBps 
== Exel aer Lng foe sereen— 1-5 16 

=> MDS Checksum OK for screen-4.0.3.tar.gz: 

=> SHA256 Checksum OK for screen-4.0.3.tar.gz. 

===  PoeeningG £er screen—4 7.0 15 

= ely ie) BeeeboD Valco fOr. scleeu—4 25.6 

== = COlUnouring Lor sereen—4-\) 25.16 

this is screen version 4.0.3 

ehnecking Boe GCG...) GC 

ehecking £er © compiler detault output... a.our 
checking whether the C compiler works... yes 

pe ple CuO se 
CCRC rei ees =32 =£NO-Strict-aliasing =pipe encoding. 

ec. =o SCreen Screen.o ansi.0 Tle16o.0 Mark.oO MisSc.0 resize.o Socket.o 
Search.o Ety.o Lerm.o window.o utmp.o loaday.o putenv.o help.o — termcap.o 
INDUE SO attacher.@ pry.0 Process .o display.o conm.c ~kmapdei.o acls.0 
Dram eo raniwle eS ie, logilenc levyer.0 


~Lbermeam: Sittin =lurik louver 





sched.o teln.o nethack.o encoding.o 
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| periodically install packages for a single 
task, and then leave them behind. To 
perform housecleaning, | prefer using the 
pkg _cutleaves tool (see Listing 22). 

Next | invoke pkg cutleaves. rm 
looking for packages I'd like to remove. 
Nmap and Tcpflow catch my eye. When 
| want to keep a package, | hit [return] to 
keep it. When | want to delete a package, 
| hit d. When asked if | want to go on with 
new leaf packages, | enter y and continue 
the process (see Listing 23). 

As we can see, the result of this process 
was removing Nmap, Tcpflow, and all of 
their dependencies. If we knew from the 
outset what we wanted to delete, we could 
have run pkg deinstall as shown earlier 
Here | like to use the browsing nature of 
pkg_cutleaves to identify packages which 
| don't necessarily realize | want to delete 
from the beginning. 


Preparing to Build and Install 
Packages Using the Ports Tree 
Throughout this article we have installed 
packages installed by the FreeBSD 
project. However, because we have the 
ports tree installed on our system, we can 
build and install our own packages. 

Earlier we updated our ports tree using 
Portsnap. Here we will update it again (see 
listing 24). 

After portsnap 
and portsnap update, we update the 
INDEX-7db used by Portupgrade (see 
Listing 25). To keep itclear, Portsnap updates 
/usr/ports/INDEX-7 and portsdb updates 
/usxr/ports/ INDEX-7/.. db. 

For the following examples we will 
deinstall Curl and its dependencies, and 
then reinstall them later (see Listing 26). 

For this example we will install the 
Screen application using the ports tree. 

We'll start by using the port as an 
example of how to install a package. First 
we have to locate the port. We can use the 
make search name= COMman4d in the /usr/ 
ports directory (see Listing 27). 

Here we see that sysutils/screen is the 
port we want (see Listing 28). 

These are the files we will need to build 
a package using this port. To determine 
if there are any dependencies required to 
build a package from this port, we can use 
the following command. 


running fetch 


freebsd7# make pretty-print-build- 
depends-list 


There are no dependencies to build 
the package. We can also see if any 
packages are required to run the package 
once installed. 


freebsd7# make pretty-print-run- 
depends-list 


There are no dependencies to run the 
package. The next command | like to run 
when encountering a new port is make 
showconfig. This command will show the 
options that will be set by default when 
building the package from the ports tree. 
The default settings are used to build the 
package provided by the FreeBSD project 
(see Listing 29). 

We can run make config to change or just 
view these settings. This starts a Curses 
window. We leave the configuration as-is 
but hit OK to exit. Running make contig has 
created the following entries in the /var/ 
db/ports directory (see Listing 31). 

The ports tree will use these options 
when building the package. 


Building and Installing Packages 
Using the Ports Tree: A Simple 
Example 
At this point we are ready to proceed. In 
the /usr/ports/sysutils/screen directory, 
run make (see Listing 31). 

To install we run ’make install (see 
Listing 32). Screen is now installed. 


Building and Installing Packages 
Using the Ports Tree: A More 
Complicated Example 

For a more complicated example, let’s install 
Curl using the ports tree. To install Curl via 
the ports tree, we need to know where it 
lives. We might remember it from the fto/curl 
directory at the beginning of the article, but 
if we arent Sure we can again use the make 
search name= Command in the /usr/ports 
directory (see Listing 33). 

The first option is what we want, but 
many other programs with curi in their 
name are listed. In addition to running make 
search name= We Could alSO USE make search 
key= to specify a keyword for searching. We 
See £tp/cur1 has what we want, we change 
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there. Again we run make showconfig tO See 
available options (see Listing 34). If we run 
make config, we'll see a Curses interface 
like the following. Here | have enabled the 
LIBSSH2 option, which was off by default. 
The ability to modify a package to meet 
local requirements, but then manage that 
package using standard tools, is one of the 
great strengths of the FreeBSD ports tree. 


Listing 32. Running make install for the screen port 


freebsd7# make install 
See borne Eon, cereal 40-56 
===> 
===> 
eed... 
—— 


=——— OUR Per be Orl. 


increased privileges. 


jusr/ local /bin/ screen 


risk to the system. 


FOr More inkOrmakion, 
Siatus Of Eis SOLeWware, 
http://www.gnu.org/software/screen/ 
freebsd7# pkgdb -vu 
=—-=—- Updating the pkadb 
(=0 +1) =. <done | 
freebsd7# rehash 


freebsd7# which screen 


usr local /bin/ screen 


Listing 33. Finding the curl port 
freebsd7# cd /usr/ports 


freebsd7# make search name=curl 











Generating temporary packing list 


Checking if sysutils/screen already installed 


Registering Imstallarvon Lar screen—4 7.5.6 


This port has installed the following binaries 


If there are vulnerabilities in these programs 
FreeBSD makes no guarantee 
Peres included sim, che Pores Collection. 
EOrdecinstald the wore 2h cits Tis a comeern. 

and contact details about the security 


see the following webpage: 


[Updating the pkgdb <format:bdb btree> in /var/db/pkg ... 


Port: Curia ol Io. 4 

Path: (ust / ports, fip/ curil 

Ag tireless Non-interactive tool to get files from FTP, 
Maint: roam@FreeBSD.org 

B-deps: Perl oce7 255 

Radeps: Ce, TOOE Wos— 521 eo eZ 

WWW : Nitto: //ecurl-haxx.se/ 

POLE< eur ipe 0.7.0.1 

Path: (ust /PoOrts/ ftp/ curlpp 

Rio A C++ wrapper for libcurl 

Maine: roam@FreeBSD.org 

B-deps: Ce roct Nes sell Pe eur ie kono cl 
Rodeps: Ca TLOCT Neo shile 9 2. curiae lool 
WWW : 

Ae peLUmcatedaca 





After selecting OK, | run make showconfig again 
and notice the change (see Listing 35). 

Next | like to see packages that are 
required to build this package. 


freebsd7# make pretty-print-build- 
depends-list 
This port requires package(s) "perl- 


5.8.9 3" to build. 


which execute with 


there may be a security 
about the security of 


Please UT eae lintay Steril ill 


ic ype 


= 9 packages found 


GOPHER, HTTP(S) servers 
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We already have Perl installed, so we don't 
have to worry about it. If Perl were not 
installed, we might consider installing the 
Perl package ourselves. If we did not install 
the Perl package, using the ports tree would 
result in building Perl and its dependencies 
(if any) from the ports tree as well. Now 
| see what packages are required to run 
this package, once installed. 


freebsd7# make pretty-print-run- 
depends-list 
Inis POrt Pequires package(s) "ca root _ 


Nss-3 leo 2 Oo runs 


That makes sense. We already saw that 
when Curl was installed, the ca_root_nss 
package was listed as a dependency. 

However, in the next section we will find 
that this output is not complete due to the 
customization for 1ibssh2 that we introduced. 

To simply install Curl, we could use make 
again. However, we saw that ca_ root _nss- 
3.11.9 2 iS a runtime dependency. We can 
install the package manually first before 
installing Curl via the ports tree (see Listing 36). 
Now, when we install Curl via the ports tree, 
we dont have to worry about the dependency 
being installed through the ports tree (see 
Listing 37). Now we run make install (see 
Listing 38). During installation, 1ibssh2 was 
found to be a dependency, based on the 
customization we made. We can see the 
dependency using pkg tree. 


freebsd/# pkg tree curl 
curl-7.19.6 1 
le. Libsshz=1.2;2 


\_, @a SOG nes-3 11.9.2 


lf we want to create a package for Curl, 
we can use the make package Command 
(see Listing 39). If we want to make the 
package and its dependencies, we use 
make package-recursive’ (see Listing AO). 
Note that using the make package-recursive 
command means you don't have to run make 
install. With FreeBSD, there is not a way to 
make a package but avoid installation. 


freebsd7# ls /usr/ports/packages/All 
Ga Foot mes-s.11.9 2athe perl-o.8.9 32tb2 
curl=7.19.6-12tbe 
Oe Se? bZ 


libssh?-1s2,2.tbzZ 


portaudit— 
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Install Packages Built on One 
System to Another System 

Once packages are built using the ports 
tree, you can install them on_ similar 
systems elsewhere. For example, we 
can copy packages from freebsd/ to 


Listing 34. Running make showconfig for the curl port 


freebsd/7# make showconfig 


another system and install them locally. In 
the following example we begin on host 
freebsd/7S and will install packages built 
earlier in this article (see Listing 41). 

So, the new package is installed, but 
what if we wanted to add a package with 


=== Une TOllowing -conngurailvon CUrlOne are avalleble fer curl i. looo il: 


CARES =O (@eitamilite) 


CURL DEBUG—Oft “(derault) 


GNUTLS=off (default) 


IPV6=on (default) "IPy6 suppor” 


KERBEROS4=off (default) 





LDAP=off (default) "LDAP support" 








LDAPS=CfE (detaulic) 


LIBIDN=off (default) 





LIBSSH2=off (default) 


NTLM=off (default) 
OPENSSL=on (default) 
PROXY=on (default) 
TRACKMEMORY=off (default) 


Listing 35. Changes after running make showconfig 


freebsd/7# make showconfig 


“LDAPS SUPDOrE 


“PROxy “Suppor: 


"ASynehronous DNS resolution Viel c-ares” 
"Enaple Curl diagnostic Outpt” 


"Use GNU TES 2f OPENSSL is (OFE™ 


"Kerberos 4 authentication" 


(Sequines DAP sand ssl)" 


NT MicSicnercLomali2ac! Demeslin INéimMAaS wale ILalesa.clin™ 
NoGr/scrlP suppere vile dibssia2™ 
"NTLM authentication” 


“OpenSsk Support” 


"Enable curl memory diagnostic output” 


"make config' to modify these settings 


=== ne TOllowing Conmlgubartion Oprione “aresavaiileole er curl. (loca i: 


CARES=off "Asynchronous DNS resolution via c-ares" 


CURE. TEBUG-Obr “Enable curl dileagigstle OuRDUE. 


GNUTLS=off 
LP¥Vo=on “IPwo Snpportk” 
KERBEROS4=o0f£ 





LDAP=off "LDAP support" 








LDAPS=off "LDAPS support 





NTLM=off "NTLM authentication" 
OPENSSL=on “OpenSSL support" 


PROXY=On "Proxy support” 


"use GNU TLS: it OPENSSl as, ©FEY 


"Kerberos 4 authentication" 


(Requires LDAP Vand vse la). 


Hr = LoL) NNT — (yates mcr tes utes alice tena) Tall sleaze @ LD yt elinral amet Ta Steen pelle cls esl TaN 


LUBSsiiz—onm “SCP/SETP Support via ibsshz” 


TRACKMEMORY=off "Enable curl memory diagnostic output" 


Listing 36. Installing the curl package 


breebDsd) 7 PkG a0e —2 ca Poor mes 


"make config' to modify these settings 


Fetching ftp://ftp.freebsd.org//pub/FreeBSD/ports/i386/packages-7-stable/ 


haest/C€a frOocr Mss tz...) Done, 
freebsd7# pkgdb -vu 


===> Updating the pkadb 


[Updating the pkgdb <format:bdo btree> ian /var/db/pkg =... 


(-O +1) . done] 


- 10 packages found 
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Listing 37. Running make for the curl port 


freebsd7# make 

=== Se LOUNG Ssaveq cOmigurac On Een curl. 19.6. i 

=> curl—-/.19,6.tar.b72 doesn": Seem to Exist in /usr/ 
ports/distfiles/. 

=> Attempting to fetch from http://curl.haxx.se/ 
download/. 

fetch: transfer timed out 

=> Attempting to fetch from ftp://ftp.sunet.se/pub/www/ 
Hid btives/ curl). 
Curi=) Ore wrarsz LOOs Of 2292 kB 2336 kBps 
==> Sx bbacting ser Curly io. 

=> MDS “Checksum OK for curl—-7..19.6.tar.bz2. 

=> Sabo Checksum Oh for curl—-/ slo o.bar.bzZ. 

===> Cumil=7 1956.1 depends on tile: =/usir local /bin/ 
perild.8.9 = found 

===) PaccChimg £OF curl / 29.6 a 

===>. cluUrl-7.19.6 1 depends on file: /usr/local/bin/ 
perils .8.9) = found 

= Bye breet eaketes whan eur i) o.oo 

===> curl-7.19.6 1 depends on file: /usr/local/bin/ 
perlS.8.9 = found 

===> CuUnria) 19661 depends on sharcedibvary: seh 
= Nou. found 

——_ Vetiiyind imetalh, for sshi2al am, Ger, ponte, 
Security/libpssii2 

=> Iibssh2-1.2.tar-qz doesn’t seém Eo exist in /usr/ 
ports/distfiles/. 

=> Attempting to fetch from http://www.libssh2.org/ 
download/. 

fetch: transfer timed out 

=> Attempting to fetch from http://redundancy.redundancy 
<OLG/ Il LOLs 2 

feten: Nttp:// redundancy. redundancy.org/mirror/ lipssh2— 
eA ncar. oa" Not Hound: 

=> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/ 
FreeBSD/ports/distfiles/. 

LapsshiZ=1 2 rar LOU2 Of S19 KB 2150" kes 
===> Extracting for libssh2-1.2,2 

=> MDS Checksum OK Eor libsseh2-l. 2 itar.oz. 

=> SHAZ56 Checksum OK for libssh2-1.2.tar.gz: 

=-—>- Patching for lubsshZ-l.2, 2 

===> Conmigquring for labssh2-1.2,2 


checking whether to enable maintainer-specific portions 


of Makefiles... no 

checking for sed... /usr/bin/sed 

ehecking E£or a BSl-compatible install... /usr/bin/ 
install -@ =o root =g wheel 

checking whether build environment is sane... yes 


...edited... 
—— Registering installation for libsshz2-1.2,.2 
—— Returning EOeDuIIG Of Vcurla 7.19 soe 


=aa oe COMICUIinG, £on cur). 132 eel 


checking whether to enable maintainer-specific portions 


of Makefiles... no 
checking whether to enable debug build options... no 
checking whether to enable compiler optimizer... not 


specified (assuming yes) 


checking whether to enable strict compiler warnings... no 
checking whether to enable curl debug memory tracking... no 
checking for sed... /ust/oiny sed 

checking for grep... /usr/bin/grep 


checking for egqrep... /usr/bin/grep —-E 


checking for ar... /usr/bin/ar 

checking for 42 BSD-—compatibile anstall.... /usr/bin/ 
install —c =o root -¢q wheel 

checking whether build environment is sane... yes 


~, edited... 
Making all in examples 


Malin, “ald ain ioe une: 


Listing 38. Running make install for the curl port 


freebsd7# make install 
sea) stalling for curt oo 
===> curl-7.19.6 1 depends on file: /usr/local/share/ 
Ceres) Ca-roOOr-—n Ss scCrr, =, found 
== cums elo depends (On cacired Wilbmary.) Sole 3 l= eourie 
===> Generating temporary packing list 
===> Checking if ftp/curl already installed 
Male, dsc ad ily “am «lS 
pe SOlced.. < 
===> Reg@elering anSstallevion for curl 772 ooo 
===> SECURITY REPORT: 

This port has installed the following files which 
may act as network 

servers and may therefore pose a remote security 
risk to the system. 
pucr) loealy lib hiiseciidl.o..9 

If there are vulnerabilities in these programs 
there may be a security 

risk to the system. FreeBSD makes no guarantee 
about the security of 

ports included in the Ports Collection. Please 
type 'make deinstall' 

to déinstall the port 2E this is a concern. 

For more iIntormakion, and Contact details about 
the security 

status of this software, see the following 
webpage: 
hite:/ (curl haxx.se/ 
freebsd7# pkgdb -vu 
==> (Updating the pkgdb 
[Updating the pkgdb <format:bdb btree> in /var/db/pkg 


= 2 packages: tound (—0 +2) done] 
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dependencies? For examples like this, we 
could mount the remote system’s /usr/ 
ports/packages directory using NFS, and 
add from there. The remote system here 


Listing 39. Running make package for the curl port 
freebsd7# make package 


——— 


freebsd7# make package-recursive 


——— 


Registering depends:. 


Registering depends:. 


rma s 
c** Error code 1 (1gnored) 


——— 


Registering depends:. 


freebsd7S# uname -a 


ae eee aD lian OO 


FREEBSD] i386 


Connecting EO Li 2.lG¢.134 178... 
Password: 

sftp> cd /usr/ports/packages/All 
Seco. lS 

Cay POOt Wiss oan eZ 
Beri S 62255. bo 

Salo er ved, POOr Tiss. 91h. rbZ 


Cpl! gene) evs 
Sip >. quae 


Prec sdiis7 pi tol oreo ea rec. 





Buileing package £62 curl >/.19. 6 
Creating package /Usr/ports/ packages/All/curil—7 19.6 Nitbz 


Registering Gepends: ca roo meso. 1le9 7 VibssnZai 22,2. 
€Creacting bzip dd tar Deli im "/usr/ pores) packages, All /jcumk=7) , 00). li ce! 


Listing 40. Running make package-recursive for the curl port 

Generating temporary packing list 

Creating package /Usr/ports/packages/All/perl—5.8.9 3.tbz 

REGistering comilucrs: perl—5.o¢* perl—-5.10.* perl-chreaded-5.107.. 
Creacing bzip d- tar ball am "/tser/ports/ packages/All/perl—5.38.9 3.itbz” 


Creating package /usr/ports/packages/All/libssh2-1.2,2.tbz 


Creating Zip’ a tar ball an '/sr/ ports packages/All/libssn2—-).2,2 sib 
jusr/ports/security/ libsshiz/work: Directory not empty 


Generating temporary packing list 


Creating package /usr/ports/packages/All/ca root més—-3.11.9 2. tbz 


Creating bzip drtas ball im" /ustr) ports, vackages, All/ca roore mss—3, ll. 9 2. tz! 


Listing 41. Copying and installing a package from another system 


FreeBSD freebsd7S.taosecurity.com 7.2-STABLE FreeBSD 7.2-STABLE #2: Sat Aug 


Poot@érrecbsd/.localdomain > /usr/obj/usr/srce/svs/ 


freebsd/S# mkdir -p /usr/ports/packages/All 
freebsd7S# sftp analyst@172.16.134.128 


Cll Seales ee yz 
PovtawvedTE=US Ss. 3 sro 


Fetching /USt/ports/ packages, AlV/ca root nss—3, 11.9 2. tbz te ca root meas= 


[ust Ports packages] All eas roo Meso, 14.982) W005 


ELeecbsdis7 pC Ladd aca POOr sso 11.9 7 eZ 


Ca PoOu os 5.1.9 7 Phe Toor Ceriilicate bundle From the Mozilla Projec: 


is freebsd 7, or 172.16.134.128. | recommend 
making a read-only mount (via -o ro) so 
that the NFS client does not accidentally 
alter the server (see Listing 42). 


IipSisinZ =e, 2 soz 


169KB 168. 7KB/s 00:00 
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Curl and its dependencies have now 
been installed over NFS from the freebsd7/ 
system. This example demonstrates how 
a centralized system (in this case, freebsd7) 
could serve as a local site ports tree and 
package repository, and client systems (like 
freebsd7S) could install packages from the 
local repository. In fact, the clients would not 
have to maintain their own ports trees. 

Lets show how mounting /usr/ports 
from the package repository freebsd/ 
helos the client freebsdS learn what 
packages need updating. First, for this 
particular installation, we know that our 
clients will need the sysutils/cmdwatch utility, 
SO we make a package of it on our package 
builder freebsd7 (see Listing 43). Now we 
tum to the package client, freebsd7S, and 
mount the package builders /usr/ports 
directory (see Listing 44). We can run pkgdb 
-vu on freebsd/7S because it stores the 
package database used by Portupgrade 
iN /var/db/pkg On the local system. 


freebsd7S# pkgdb -vu 
---> Updating the pkgdb 

[Rebuilding the pkgdb <format:bab_ 
btree> in /var/db/pkg ... 


(-O +12) 


- 12 packages 


found 


Now we run portversion -v to see which 
packages need updating on the client. The 
client uses NFS to compare to the versions 
on the package builder (see Listing 45). 

We see that cmdwatch and screen 
need updating. On the client we invoke 
Portupgrade using the -vape switches (see 
Listing 46). 

We see that Portupgrade did not 
find a screen package on the package 
builder (in /usr/ports/packages/All), and 
when it failed it tried to find a package 
on a remote FreeBSD server. That failed 
too, because the FreeBSD project does 
not build screen packages. The project 
recommends users’. build their own 
packages for screen. However, the newest 
version of cmdwatch was installed, using 
the package 
cmdwatch-0.2.0 2.tbz. 


/usr/ports/packages/Al1/ 


Installing Screen Using a Remote 
FreeBSD Ports Tree 

What do we do about screen? It turns out 
that we can work around this problem. 


Listing 42. Installing the curl package over NFS 


freebsd/S# mount -t nfs -o ro 172.16.134.128:/usr/ports/ 
packages /usr/ports/packages 

freebsd7S# mount 

jdev/adisla on / (wis, local) 
devfis on /dev (devfis, local) 

/dev/ad0slf on /home (ufs, local, soft-updates) 
jdew/ad0slg on /tmp (urs, local, soft-updates) 
/dev/ad0sld on /usr (ufs, local, soft-updates) 
/dev/ad0sle on /var (ufs, local, soft-updates) 

I72. 06,134. 123: /ust/ ports, peckacges on’ /usr/ports/ 
packages (nfs, read-only) 

freebsd/S# cd /usr/ports/packages/All 

freebsd7S# Is 

CavoOcn Messe. 22 ae Dei Od 29, Satie 
curt] 29.6.1. bbz POrEaUdiIE=0. 5. 13.4 cle 
abs Sin =e 2 sei 

Eueebsdis7 oko 20d =v. Curl 7419, 6.1 eo7 
Requested space: 4525K bytes, free space: 455M bytes in 
[Var tmp/imstnip 0 Ho DV 
Package “Cuil aol depends on) libssi2Z—1.2,2) w2en 
'Securley/ biessh2" sOriain. 
Loading it from /usr/ports/packages/All/libssh2- 

ee ee ae, 
Requested space: 711K bytes, free space: 452M bytes in 
/var/tmp/instmp.  6EzFeD 
extract: Package name 1s libsshz-1.2,2 
extract: CWD LO °/usry local 
extract. usr, local, include /lipssh2 =i 

we CCLILe w55 
extract: 9/usr/ local /man/man3/libssh2 version. 3.42 
Gxtrack) execute "/sbin/ ldcontig —m /usr/ local/lab 
exerci.) Cn eeo 
Running meres fer libsshz-1.2, 2. 
meres —U ret MrRen BERS od >e =p /usi local >/dev/nul i 
Attempting to record package into /var/db/pkg/libssh2- 
ee 

Package libssh2—-l.2,2 registered in /var/db/okg/libsshi2— 
ae 

Packege. Veuml—y oor mdepenas Ome Cae LOOm ise — silo) 
2 ILE  SCCUEITY Cal sOOrl Iss Origin, 

—- already installed. 
e-Erace, Package Name is curl =. 19 7 o) 
extract: <WD “vO 7/usry local 


Sxtpacie / Wer, localy/man, mMank/cmmil az 


COILS a.5 

extract: /usr/local/share/examples/curl/threaded-ssl.c 
extract, execute "/sbin/ ldcontig —m /usr/local/ilab' 
SxEeracc: CWP LO 


Rulnine Mires Bor vourl— i. 1926 le 

miree -U -f£ +MTREE DIRS -d -e -—p /usr/local >/dev/null 
Attempting to record package into /var/db/pkg/curl- 
Teo Galle 
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Trying to record dependency on package "libssh2=-1.2,2" 
With ‘Ssecurity/libssn2”" origin. 

Frying eo record dependency “on package ea poor snias— 
Sai. 922) Wty "Security /casroot mss Origin. 

Package curl-7,.19.6 1 registered in /var/db/pkq/curl-— 
Teel. 

freebsd7S# cd 

freebsd7S# umount /usr/ports/packages 


Listing 43. Creating the cmdwatch package 


freebsd/7# cd /usr/ports/sysutils/cmdwatch 
freebsd7# make package 
=> cmdwatch-0.2.0.taregz doesn": Séem to exist in /usir/ 
POrES/distiles/ . 
=> Attempting to fetch from http://www.chruetertee.ch/ 
files/download/. 
emdwatch=0.2, 0.tar.g2 100% GF 1a ke 66 kBps 
== ee EE aCe iG eer -cleweten 0.2.07 
=> MDS Checksum OK for cmdwatch-0.2.0.tar.gz. 
=> SHAZ56 Checksum OK for cmdwatch-0.2.0.tar.qz: 
———- Paced .ben cClowaweld—0 2.7.07 
———  fopl ying user oD  patches fer Cicyvatei 027. 02 
===> P COMING £08 <ieyverceh 022.0 
=  Sulilding Lex cidwarci—Ue2 3057 
Maine  cnowat ele JebOpr ne ili LUNCr Lon a cero pEs 
internal’: 
«+ -Cd1ted . «. 
done. 
== Sra lie, Sor cieywe wena .2 20 072 
===> Generating temporary packing list 
===> Checking if sysutils/cmdwatch already installed 
Making cmdwatch... done. 
Installing emdwatch 
===> Compressing Manual pages Eor cmdwaven—0.2.0) 2 


===> Registering installation £or scmowarci—0. 7.07 


——-—_-_ sBUllGimng package £or cidwacei 027.0 eZ 


Creating package /usr/ports/packages/Al1/cmdwatch-0.2.0_ 


2 Selon 

Registering depends:. 

Creating bzip'’d tar ball am "/usr/ports/packages/AlLIl/ 
eMmedwacen aA, 0 ation. 

freebsd7# pkgdb -vu 

=-=> “Updating the pkgdb 

[Updating the pkgdb <format:bdb btree> in /var/db/pkg 


= 3 packages found (-—0 +1) done] 
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Listing 44. Mounting the package builder using NFS 


freebsd 75% mount —-f mis —-o 20 172716134, 12637/usr/ ports 
Vue, pores 
freebsd7S# mount 


fdevjad0sia on -/~ (ute, local) 


devfs on /dev (devfs, local) 


/dev/ad0Oslf on /home (ufs, local, soft-updates) 


/dev/ad0slg on /tmp 
/dev/ad0sild on /usr 


(ais, local, Scofe-updates) 


(Gis; Local, sore Updabes:) 


/dev/ad0sle on /var (ufs, local, soft-updates) 


ib/ 2.6. S421 232/ist/ ports on usr / pores (mts read-only) 
Listing 45. Running portversion 
freebsd7S# portversion -v 

Cas POOE NSS > oe1dy OZ =) Up=tO-date WALh pore 
eniwa tena). 2.01 <— meds updating (pore has 0.2.0) 2) 
Curie Gut = up-to-date with port 
evsup-wi ENOuUE Gul — 16. hn 4 a 
db41-4.1.25 4 = 
Mista ie = 


Perk 5.682955 = 


up-to-date with port 
up-to-date with port 
up-to-date with port 
up-to-date with port 
pko icutleéaves—2 009010 = up-to-date with port 
POTtupgrade-2 24-6 372 = up-to-date with port 
puby> lode. oO 4, i = up-to-date with port 
pubyls>bpdb=0).6. 521 = up-to-date with port 
SeGreena 4 Once) — needs Updating (perc fas 4.053 76) 
Listing 46. Running portupgrade 

freebsd7S# portupgrade -vaPP 

---> 


Session Started at: Tue, 25 Aug 2009 14:56:56 -0400 


---> Checking for the latest package of 'sysutils/screen' 


===. Fetching Unie package (s) £08 “screen—4.0) 236" 
(sysutils/screen) 
aoa WCE C MMe ce recna = Us 20 


++ Will try the following sites in the order named: 
ftp://ftp.FreeBSD.org//pub/FreeBSD/ports/i386/ 

packages-7-stable/ 

aes Dae), 

US micron) 

ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-—7-stable/ 


invoking arcommand:: (/USt /bitn Pere eo 


tmp/portupgrade69eLJ2VS/screen-4.0.3 6.tbz' 


All/screen-4.0.3 6.tbz' 
fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/ 
i386/packages-7-stable/All/screen-4.0.3 6.tbz: File 
unavailable (e.g., file not found, no access) 

** The command recurned a non-zero exit stratus: 1 

** Failed to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ 
ports/i386/packages-7-stable/All/screen-4.0.3 6.tbz 
---> ea 
Unmejor 


ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-7-stable/ 


Invoking a comand: /ust/bin Pete —o 


tmp/portupgrade69eLJ2VS/screen-4.0.3 6.tgz' 


All/screen-4.0.3 6.tgz' 
fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/ 


i386/packages-7-stable/All/screen-4.0.3 6.tgz: File 


unavailable (e.g., file not found, no access) 

** The command returned a non-zero exit status: 1 

** Failed to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ 

ports/i386/packages-7-stable/All/screen-4.0.3 6.tgz 

7 ailed stor berchascrecn—4 303.56 

-—--> Listing the results (+:done / -:ignored / *:skipped / !:failed) 
Pe SeGeew a Ur. 05 (Pereiwerron) 


---> Packages processed: 0 done, 0 ignored, O skipped and 

1 failed 

---> Fetching the latest package(s) for 'screen' (sysutils/screen) 

---> Fetching screen 

++ Will try the following sites in the order named: 
ftp://ftp.FreeBSD.org//pub/FreeBSD/ports/i386/ 

packages-7-stable/ 

=-=> Invoking a command: /usr/bin/ fetch -o '/var/tmp/ 

portupgradeKmGTSv48/screen.tbz' 'ftp://ftp.FreeBSD.org/pub/ 

FreeBSD/ports/i386/packages-7-stable/Latest/screen.tbz' 

fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ 

packages-7-stable/Latest/screen.tbz: File unavailable 

(e.¢9., tile not found, no access) 

~*< The Command returned a non-zero Exit Status; 1 

** Failed to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ 

ports/i386/packages-7-stable/Latest/screen.tbz 

=---> Invoking a command: /usr/bin/fetch -o '/var/tmp/ 

portupgradeKmGTSv48/screen.tgz' 'ftp://ftp.FreeBSD.org/pub/ 

FreeBSD/ports/i386/packages-7-stable/Latest/screen.tgz' 

fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/ 

packages-7-stable/Latest/screen.tgz: File unavailable 

(e.g., file not found, no access) 

** The command returned a non-zero exit Status: 1 

** Failed to fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/ 

ports/i386/packages-7-stable/Latest/screen.tgz 


** Failed to fetch screen 


--~> Listing the results (+:done / -:ionmored / *sskipped 
/ \:failed) 
! screen@ (fetch error) 
---> Packages processed: O done, O ignored, O skipped 
and 1 failed 
7 COUldenoronmd thie tales ere ron (42065. 6) 
** No package available: sysutils/screen 
===>)" ** Uporade tasks 2: 0 done, 0 aqgnored, 0 skipped 


and 1 failed 
---> Checking for the latest package of 'sysutils/cmdwatch' 
==-> Holmd a package of "sysutils/cmdwatch': /ust/ports/ 
packages/All/cmdwatch—0).2.0.2.tbz (emdwatch—0.2.0) 2) 

---> Upgrade of sysutils/cmdwatch started at: Tue, 25 
Aung, 2009) 142 53701-0406 

a> sUDorad ing) chdwarch—Ue 7. 0; i to emdwacch—O. 7.07! 
(sysutils/cmdwatch) using a package 
---> Updating dependency info 

==>" | Ulimstallation of cudwatch—U-2:0) 1) Started aL: Tue, 325 Aug 


2009 14-56: 02-=0400 
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Listing 46. Running portupgrade (cont) 


---> Fixing up dependencies before creating a package 
==--> Backing up the old version 
===> (Uninmestalilang che old version 
=oa 7 eS De ime celine y eMmawaten Om 0 el 
[Updating the pkgqdb <format:bdb brree> in /var/db/pko ... — 11 packages found 
Cal Oy Cae. a) clomne:| 
===> SUNimetelilatilonor mdwatchi-Us2. U0) ended atiwiue,. 25, Aug 2009 14s5e2723 
-0400 (consumed 00:00:25) 
sooo) INSstallatvon son scmdwatchn—U 2.07 starved ats ive, 2a Aug 2009 Iaeesz6 0400 
---> Installing the new version via the package 
---> Removing temporary files and directories 
---> Removing old package' 
=eo> ihetallation or cMdWatehi-U.2 0 7 ended ater luce ne25 Aug 2009 124756731 c— 
0400 (consumed 00:00:02) 
---> Cleaning out obsolete shared libraries 
[Updating Ee pkgdb <format:bdb btree> in /var/dbd/pkg «5. — 12 
backages tound «(—0 +1) done] 
---> Upgrade of sysutils/cemdwatch ended at: Tue, 25 Aug 2009 14:58:53 -0400 
(consumed 00:00:51) 
=a=> 94% Upgrade tasks 2: icdone, 0 tonored,. 0 Skipped and 1 farled 
=---> Listing the results (+:dome / -:ignored / *:skipped / !:failed) 

! sysutils/screen (screen-4.0.3 5) (package not found) 

+ Sysutils/emdwatch (cmdwatch-0.2.0° 1) 
---> Packages processed: 1 done, O ignored, O skipped and 1 failed 
===> Session ended at: Tue, 25 Aug 2009 14:59:12 —-0400 (consumed 00:02:16) 
freebsd7S# portversion -v 
Cay LOO NN SSS bag = Up -tO-daue Wath Dore 
Cmawatch—0 72.002 = up-to-date with port 
Cilal Sabe eo vi = up-to-date with port 
Cvsup walt mou gumk = Wie alin 4 = 
db41-4 1.25 4 = 
pose? — W272 _ 


Perio. 6.958 a 


up-to-date with port 
up-to-date with port 
up-to-date with port 
up-to-date with port 
PRO curleayes—Z0070 210 = up-to-date with port 
POrLupgrade-2.4,6 39, 2 = 


tubby. 82), Loa, = 


up-to-date with port 
up-to-date with port 
tuby le bpdb=06.5 1 = up-to-date with port 
Serecn— a. Uo. 5 = SS ueeds Updaring (pork, leased 0576) 

Listing 47. Common package upgrade process 

lence teny Hkhe eRe Qinsere. your pre <7) 

2. setenv PACKAGESITE ftp://ftp[X] .freebsd.org//pub/FreeBSD/ports/i386/packages-7- 


stable/Latest/ where [X] is the number of a FreeBSD FTP server near you. 


~ POPEVersiOn “=v c=)" 


3. portsnap fetch 
4. portsnap update 
ie (Oreo. U 

Oo. pKddb = wu 

- 

8 


. Read /usr/ports/UPDATING to see if any special instructions apply to 
packages of interest. 
9. portupgrade -vaPP 


10, portversion =v =) 7" 





www.bsdmag.org 





SD 


About the Author 


Richard Bejtlich 
Response for General Electric, and serves 


is Director of Incident 


as Principal Technologist for GE’s Global 
Infrastructure Services division. He also writes 
for his blog (taosecurity.blogspot.com) and 
TechTarget.com, and teaches for Black Hat. 


First, remove the old package using 
any of the methods demonstrated in this 
article. Next, mount the package builders 
ports directory. 


freebsd7S# mount -t nfs -o ro 


172.16<134.126?/tsr/ports /usr/ ports 


If /usr/ports Aoesn't exist on the client, 
create it. Now cd to /usr/ports/sysutils/ 
screen and run the following. 

freebsd/S# cd /usr/ports/sysutils/ 
screen 

freebsd7S# make WRKDIRPREFIX=/tmp 
freebsd7S# make install WRKDIRPREFIX=/ 


tmp 


When done, the new version of screen 
will be built, using the remote package 
builders ports tree but by installing source 
code on the local system. 


My Common Package Update 
Process 

So what is the end result of this process? 
For individual systems, | recommend 
the following process. This assumes 
Portupgrade is installed, and that | rely 
on packages produced by the FreeBSD 
project. | also assume that Portaudit is 
running automatically every day already 
(see Listing 47). 


Conclusion 

| hope this article has helped you 
understand the different ways to keep 
FreeBSD applications up-to-date. It is by no 
means comprehensive, but by following it 
you hopefully can judge the different ways 
to keep your applications current. 
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Spam control 


with a stock OpenBSD install 





Girish Venkatachalam 








Ever since e-mails became ubiquitous unwanted e-mails or soam also known as 
UCE(Unsolicited Commercial E-mail) or UBE(Unsolicited Bulk e-mail) also became 


popular. 


-mails today form the backbone of any company no 
matter if it makes space crafts or leather boots. E-mail 
is not just a medium for communication but the most 
important corporate tool. 

Due to many historic accidents and a combination of other 
factors soammers have been finding it really easy to fake e-mail 
sending. They send unsolicited e-mails with so much impunity 
and coordination that nearly every spam protection mechanism 
be it technical, political or regulatory has been smashed to 
smithereens. 

Spammers are smart people and they know what they are 
doing. And their level of motivation is quite high because there 
is money in the business. People do fall for lures to get bigger 
private organs or easy money. Lottery wins, Nigerian widows and 
p0rn May not interest you and me; they actually annoy us but 
Internet still has many naive people who these soammers can 
bait and walk off with their money. 

Spamming is a volume game. They don't care for particular 
users receiving their messages. They really dont care if intelligent 
users delete their mails or use a spam filter As long as their 
profits are higher than their overheads their business model 
works. As | said, they are in the game for the money. 

That being the case any technology solution to fight 
spammers has to hit them where it hurts them the most. We 
have to target their business model. This is easily done. Let me 
explain. 

Spammers hardly spend any money/resources tO send out 
spam. Spammers send bulk commercial e-mail using a huge 
network of coordinated computers working in tandem to send 
out millions of mails. They use open relays and they even create 
bogus BGP routes to send out soam. Unallocated BGP networks 
known as bogons come and go. Spammers come, they send out 
the mails and then they vanish. They operate from some other 


country to avoid detection. Any form of regulation is not going to 
fight them. We have to use technology. And OpenBSD has an 
excellent method to fight such brain damaged individuals. This 
article is about that. 


How OpenBSD fights spam? 

You may be wondering how an open source free operating 
system can be equipped with a spam filter And you may also 
wonder at its effectiveness. It turns out that OpenBSD’s spam 
filtering arsenal is the most powerful spam filtering technique 
on the planet. It is way too powerful compared to anything you 
already know like Spamassassin or any other commercial 
product. It wins hands down in this particular game. 

And most of all it is completely free. All you need is download 
the latest OpenBSD ISO, install it on a PC and set things up. You 
have to run this machine in front of your e-mail Server machine 
since OpenBSD spama(s) does not even allow spam to come in. It 
saves your bandwidth and e-mail storage/archivai Costs. 

Moreover this does not require any manual intervention or 
maintenance. No babysitting necessary like Soamassassin and 
certainly no false positives problem in which you lose legitimate 
e-mails. 


It is the ultimate spam filter! 

But what it does is not really spam filtering. It performs spam 
control by not even letting spam in. Soammers get an error 
message and they cannot survive our tests since that costs 
them resources and money. And their business model does not 
allow that. 

OpenBSD does tarpitting or teergrubing in such a fashion 
that legitimate mail senders don’t feel anything but it hits the 
spammer. And it hits him real hard. Ultimately you as a user win 
without losing anything. 
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And you end up losing a lot when 
you use a content scanning spam filter 
like Spamassassin. Spamassassin 
slows your e-mails since it does content 
scanning and you lose important e-mail. 
It also requires heavy maintenance and 
it wastes mail server storage space and 
your network bandwidth. It deletes soam 
mails after receiving them and people 
have to manually pass false positives or 
get rid of real soam. 

Whereas OpenBSD works _ in 
a completely different manner. It relies on 
traffic shaping at the TCP layer to achieve 
spam control. 

Here is a diagrammatic representation 
of how OpenBSD does spam filtering see 
Figure 1. 

There are three UNIX daemons of 
interest here. is the master 
daemon that runs a fake SMTP daemon at 
port 8025. Run this command as root on 
an OpenBSD machine. 


spamd (8) 


# /usr/libexec/spamd 
After that try this command. 
> nc -y localhost 8025 


You will find how OpenBSD spamd 
implements the tarpit mechanism to hurt 
spammers. 

Here onwards we are going to get 
really technical. Please be warned that 
this section is meant for people who are 
very familiar with the OpenBSD OS. People 


OpenBSD - the daemon workhorses ; 


[ )] 
Update /var/db/spamd database 


Track blacklisted IPs 


Implement tarpit by 
delaying response(stuttering) 


[ )] 


Keep track of blacklisted IP netblocks 
that send out spam right now. 

Updated every hour. Talks to spamd(8) 
using the spam-cfg local UDP socket 
interface. It is a simple line by line text 
protocol 


[ ] 


Keep looping over pcap_loop() 
on interface /dev/pflog0 log 
interface for mail attempts 
for whitelisting 


OpenBSF-spam-daemons 


with a thorough grounding on OpenBSD’s 
internals and firewall software pf (4) will 
benefit the most from the rest of the article. 
However you can read through and pick 
up the gaps in your understanding once 
you gain more familiarity with this fantastic 
operating system. 

spamlogd(8) IS A libpcap (3) infinite 
loop that reads the pflogO virtual network 
interface to check for connections to the 
mail server. This daemon is important 
since without this, legitimate mails will not 
get through. 

And the spamd-setup (8) daemon checks 
for the worldwide blacklists of soam senders. 
This daemon talks to the spama(s) daemon 
using a simple line by line text protocol on 
local soamd-cfg UDP port. 

You need this /etc/pf.con¢ file since it 
is OpenBSD’s excellent firewall pf(4) that 
does all the networking magic for uS. pf (4) 
tables are a very powerful concept for 
blacklisting IP addresses that misbehave 
in many ways. Spam control is not very 
different from other forms of misbehavior 
like launching ssh bruteforce attacks or 
denial of service attacks on us. 

p£(4) tables allow us to add hosts 
and IP addresses dynamically based on 
matching rules and you can check against 
this list for future packets from those hosts 
and act in a different manner. 

Let me illustrate the above concept 
with an example. 

Let us say you have ssh bruteforce 
attacks coming from an IP address 
1.3.4.45. You can identify this in a pf (4) 
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rule and you can add this IP to the table 
called <badhosts> with this rule. 


pass inet proto tcp from any to port 
Stcp services \ 
(max-src-conn 100, max-src-conn-rate 
15/7 oy 
overload <bathosts> flush 


global) 


And now all you have to do is plonk this 
line: 


block quick trom <badhosts> 


towards the beginning of your p£(4) 
rules. You also need to declare this table 
beforehand. 

Now getting back to spam control. This 
is the firewall rule file /etc/pf£.cont that you 
need for soam control (see Listing 1). 

For those of you who know p.£(4) 
already, this file should not be cryptic 
at all. But for others | shall do a bit of 
explaining. Most lines are very clear and 
self explanatory. | shall only touch upon the 
important ones. The line: 


rdr pass log on Sext if proto tcp from 
<white> to ($ext if) port smtp \ 


-> <mailserver> round-robin 


does a destination NAT or TCP connection 
forwarding to the table 
declared above. The keyword round- 
robin States that if there are n hosts in the 
<mailserver> table like this: 


<mailserver> 


table <mailserver> const { 1.2.3.5 , 


Letete Oy Le2ecal f 


then, the rdr rule will redirect the first SMTP 
connection to 1.2.3.5, the second to 1.2.3.6 
and the 4th back to 1.2.3.5. The other line 
of interest is this one: 


pass in log on Sext_ if inet proto tcp 


to <mailserver> port smtp 


This line logs the SMTP connections the 
real mailserver that could be running 
MS Exchange or sendmail or Postfix or 
whatever. 

This is done because without the pilogo 
virtual interface seeing the successful 
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SMTP connections, real mails will never 
get through as the well behaved IP 
addresses will not get a chance to get 
noticed by spamd. 

This job is done by spamioga(8) deamon 
IN G pcap capture live() loop. The actual 
whitelisting is performed by spama(s) but 
spamlogda(8) notices the packets on the log 
interface. | know my English is bit cryptic but 
| hope you get the idea. 

And you will also know in a minute that 
this requires this sysctl setting. 


# sysctl net.inet.ip.forwarding = 1 


You will also notice that this firewall config 
ensures that mails are forwarded to 3 
mailservers 1.2.3.5, 1.2.3.6 and 1.2.3.7 one 
after another in a round robin fashion. 

This is useful when you have three MX 
records like this (See Listing 2). 

The other thing you could do is failover 
between two OpenBSD boxes by doing 
CARP failover between them. 

The thing about CARP is that it is a patent 
unencumbered version of the Cisco VRRP 
orotocol(virtual router redundancy protocol) 
and it works with any service you wish to 
offer with a 100% uptime guarantee. CARP 
relies on the IP protocol 112. (Do a grep of 
CARP with /etc/protocols) 

CARP works remarkably well in an 
environment where you have colocated 
web servers or mail servers or just about 
any service you offer on top of IP It could 
even be a UDP service. CARP is utterly 
painless and its real simplicity sometimes 
can be quite dumbfounding since it does 
a lot of work behind the scenes. 

This does not get you TCP connection 
handover but this is pretty close to what 
you can get with minimal investment on 
hardware and software. 

Just run the commands on machine 
A and machine B. On machine A, assume 
the network interface is vico. 


# ifconfig carpO 192.168.1.100 carpdev 
vicO vhid 1 


On machine B, assume network interface 
IS £xp0. 


#ifconfig carpO 192.168.1.100 carpdev 
£xp0O vhaid 1 
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Now all you have to do is use the virtual 
IP 192.168.1.100 of the carp virtual 
interface and you have a load balanced 
spam filter that can give you 100% 
uptime and it does load sharing with 3 
mail servers and it also does not allow 
spam to enter your network thus saving 
you bandwidth. 

The most interesting thing above all 
that is that it is 100% free of cost. The 
source code is free, you can do whatever 
you want with it and still | wonder why 
nobody is using this method to fight soam 
instead of Soamassassin. 


Do you know? 

| have an idea why the world has not yet 
woken up to this technology. People do 
not know the value of open source and 
this has got to do with the thinking that 
anything available for free of cost and with 
no strings attached must be automatically 
bad. 

Unfortunately we live in a world where 
Open source dominates technological 
innovation especially in the UNIX world. 

OpenBSD attracts very smart minds 
to its folder and its transparent developer 
culture and no nonsense aititude has 
consistently brought about some of the 
best technologies in firewalling, advanced 
networking techniques and of course e- 
mail soam control. 

Crypto is just in passing. OpenBSD 
has been having the best IPSec suite for 
many years now. And there are many 
other facilities too. But security is built 
into the randomness in malloc allocation, 
DNS query id allocation, TCP sequence 
numbers..in virtually anything and 
everything in OpenBSD. 

Last but not the least, OpenSSH is 
a byproduct of this great OS! 


ee 
al setae) ele 








— 











— lll 





fe ~~ =a 


lope 








-—-Aaoggdr- 


A ete ete 
Shetek hee laa 
a oe 
senne-- sea @& 
a 
ert 


a ae 
tet ltl Toate 
-see 

—s | 
ey 








rr ee 


ee 


Y) 
LP 
a 

>< 
ed 

CS 

<b 
a ase 
aja’ 
= 








e Hosting BSD 


e Cloud Computing 


e Open BSD, NetBSD and FreeBSD as file sharing 


servers — Part 2 





@ how-to’s 


Choosing and installing 
a Window Manager with FreeBSD 





Rob Somerville 


One of the many attractive features of BSD Is that the end-user is not tied to 


a particular desktop or windowing environment. 


hile it is possible to run different shells with 

other major operating systems, BSD, Linux and 

Unix are different in that a separate layer (Xorg 

— the X Windows system) sits between the kernel 
and the GUI environment. Once Xorg is configured correctly, 
it is relatively trivial to install a Window Manager (WM) - or 
indeed multiple WM’s — if you so choose. At last count at 
freshports.org there were over 60 WM’'s available for BSD 
(Table 1), so choice is only limited by your processor and 
aesthetics. 


Set-up and support 

Traditionally, setting up X Windows could be very tricky, 
often due to closed source video drivers or odd monitor 
configurations. While there are rogue video cards out there 


al 








Figure 1. X up and running 


that are not natively supported, most cards these days can be 
persuaded to run in VESA mode. In the authors experience, 
more modern Cathode Ray Tube (CRT) and Liquid Crystal 
Displays (LCD) screens will work straight out of the box with 
Xorg 7x especially as it now has a fail-safe / auto-config 
mode. The only difficulty that may arise is with wide-screen 
configurations or laptops, often these have proprietary 
hardware or obscure settings that need to be taken into 
consideration if optimal settings are desired. 

As it is possible to overdrive and consequently damage 
your video hardware, it is always good practice to check 
that your kit is Supported beforehand and confirm optimal 
resolution, refresh rates, mode line settings etc. especially if 
you are unsure as to the specification. Modern hardware can 
probably cope better than older kit, but the wrong setting in 
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Choosing and installing a Window Manager with FreeBSD 


Window Managers available for BSD 


Currently maintained Window Manager ports [Screenshots in bold] 





Currently maintained Window Manager ports [Screenshots in bold] 


Aewm 1.2.7.3 ICCCM-compliant window manager based 
on 9wm 













amaterus 0.34.1_6 AGTK+ window manager eee | 
awesome 3.4.3_2 Ahighly configurable, next generation SS SS 
framework window manager oroborus 2.0.18. 1 A small and simple GNOME-compatible 
window manager 


blackbox 0.70.1 2 Asmall and fast window manager for X11R6 LS ee 


phluid 0.0.3. 10 A window manager that emphasizes efficiency, 
speed, and beauty 


manager 















echinus 0.3.9 A dynamic window manager for X11 based X11 
enlightenment 0.16.999.042_ — Avery artistic X window manager sapphire 0.15.8_1 Small window manager 
4, ‘sawfsh 5222 Lisp configurable window manager 







X11 
fluxbox 1.1.1.1 A small and fast window manager based on swm 1.3.4 4 Window manager for low-memory systems 





fywm? 2.4.20_2 Popular virtual window manager for X like features 
aan weewm 0.0.2 2,1 Fast and ultra light windowmanager with total 
golem 0.0.5 2 Small window manager with themes and keyboard control 













windowmaker 0.92.0 8 GNUstep-compliant NeXTstep window 
manager clone 


i3 3.d An improved dynamic tiling window manager 


ES wg 0.18.0_7 Small GTK-based GNOME-compliant window 


ion 20020207 2 A window manager with a text-editorish, manager 








larswm 7.5.3.2 Tiling Window Manager for X xfce 3.8.18_10 CDE like desktop with GTK 
matchbox 1.2 Window manager suitable for low-resolution xmonad 0.9.1 Xmonad Is a minimalist and tiling window 
screens manager for X 
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the monitor section of xorg.conf could 
potentially be problematic. 


Desktop Environment versus 
Window Manager 

With the plethora of choice available [1], 
it is possible to install anything from an 
extreme lightweight such as Ratposion (a 
mouse-less WM) to a full blown Desktop 


© qsecofcr: csh 


Environment (DE) such as Gnome or KDE. 
A low specification PC will perform better 
with a WM rather than a DE. 

Security and functionality are prime 
considerations and a DE will require 
a lot of additional library support which 
will not only add to the install time but 
potentially may add vulnerabilities. While 
most WM’s are bare bones and highly 
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customisable via their configuration 
files, a DE will come pre-configured with 
lots of additional goodies (such as file 
managers, printer monitoring utilities 
etc.) so if anything other than basic 
functionality is required, a DE may be the 
best choice. 

While it is not best practice to install 
a GUI in a server environment, occasionally 
the need may arise (e.g. to run Virtualbox 
to install a virtual machine O/S from bare 
metal) a lightweight WM with few bells and 
whistles is useful. Xorg provides TWM as 
the default WM, and this is sufficient for 
most purposes. 

User interface aesthetics are important 
as well - some prefer the minimalist 
approach of Blackbox to the slower but 
more visually stimulating Afterstep or 
Enlightenment. 

For this article, all software was tested 
in a virtual machine running FreeBSD 8.0 
and Xorg 74. 


The major players 


The heavyweights 

These are the full blown’ desktop 
environments complete with their own 
suite of applications, libraries and utilities. 
It is probably best to install these from the 
installation DVD via sysinstall due to major 
package dependencies. 

Both these DE’s support a wide range 
of applications, (and apart from having to 
install some additional libraries) they will 
often support each other applications 
as well. For a humorous analysis of the 
pro’s and con’s of these DE’s see the final 
smackdown at linuxmag.com [2]. 


Gnome (see Figure 2) — Traditional 
desktop with drop-down menus and 
the Nautilus file manager. More slim- 
line than KDE, it is the basis for the 
OpenSolaris desktop. With additional 
utilities can be themed to look very 
Mac like. The standard for Redhat 
Linux. 

KDE (see Figure 3) — Out of the box 
has a more contemporary styling than 
Gnome and is the default desktop 
for SUSE Linux Enterprise. Strong 
Support for educational games and 
applications. 
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The middleweights 


AfterStep (see Figure 4) - Based on 
the Bowman NexX Tstep TM clone, this 
WM has plenty of eye-candy. 
Enlightenment (see Figure 5) - A 
beautifully crafted WM _ still heavily 
under development. 


The lightweights 


Window Maker (Figure 6) —- Rep- 
roduces the elegant look and feel of 
the NEXTSTEP TM user interface. 
Blackbox (Figure 7) - A minimalist 
desktop but as a result has a very 
small footprint. 

TWM - The default WM supplied with 
Xorg. 


Getting Xorg 

up and running 

Xorg needs to be installed either from 
the FreeBSD DVD or using pkg_ada (Table 
2). lf you are running FreeBSD 74 or 
greater, DBUS and HALD are required. If 
required, ensure the moused daemon is 
operational and add the following lines to 
/etc/rce.conf AS NECESSMTY. 


moused enable="YRS” 
dbus snable="YES” 
hald enable="YES” 


Manually start the mousrp, DBUS, HALD 
services or reboot: As a unprivileged user, 
start the X server: 


Xinit 


If all is well, Xorg should start, your mouse 
should work and you will see a bare- 
bones X session up and running as shown 
in Figure 1. 

Switch to a console you ran xinit with 
and press [ctrl-c] to terminate (ctr-alt- 
backspace is disabled in later version of 
Xorg). If your mouse or display doesn't 
come up, you will need to generate, 
test and modify the configuration as 
appropriate. 

As root, run: 


Xorg -configure 


Xorg -config /root/xorg.conf.new -retro 


You should now see _ the_ traditional 
hatched background and mouse cursor. 
Copy xorg.conf.new file into /etc/x11/ 
xorg.conf if you are successful, otherwise 
refer to the handbook at freebsd.org for 
more detail on how to proceed. 


Installing your DE or WM 

Gnome and KDE are supplied as packages 
on the FreeBSD 8.0 DVD and this was the 
preferred method of installation to save 
bandwidth. All other WM's were installed as 
packages using the following invocation : 
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Figure 5. Enlightenment 
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¢ Wikipedia — Comparison of X Window System desktop environments — http.// 
en.wikipedia.org/wiki/Comparison_of_X_Window_System_desktop_ environments [1] 

¢ Gnome V KDE -— The Final Smackdown — http://www. linux-mag.com/id/7 296 [2] 

¢ OpenSolaris — OpenSolaris Desktop http:/hub.opensolaris. org/bin/view/Project+jds/ [3] 


¢ There is no maintainer for this port — N/A 


Table 2. xxxxXXXXXX 


Installation and xinit commands 
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/usr/local/bin/wmaker 


Window Maker 
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Figure 7. Blackbox 
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pkg_add -r packagename 


where packagename refers to the WM 
in question. The only exception was 
Enlightenment, at time of writing this WM 
had to be installed via the ports tree as the 
package appeared broken (Table 2). 


cd /usr/ports/x1ll-wm/enlightenment 
make 


make install 


Testing the Window Manager 
To initially test, the WM can be run via xinit 
e.g. for the Gnome desktop environment: 


xinit /usr/local/bin/gnome-session 
See Table 2 for further details. 


Creating the .xinitrc file 

To facilitate starting the WM using the 
startx command, the .xinitrc file in the 
users home directory is created: 


echo “exec /usr/local/bin/blackbox” > 
~/.xinitre 


See table 2 for further examples. 


Login Manager 

The login manager presents the user with 
a GUI immediately after the system boots. 
Depending on the level of sophistication 
of the login manager (e.g. Wdm), the user 
can select what WM to run at login if 
multiple WM’s are installed. 

If you require a _ graphical login 
manager, gdm is installed as part of 
Gnome package and can be started at 
boot by adding the following to rc.conf: 


gdm: enable="YES” 


For other login managers, please refer to 
the relevant man pages. 





BSDCan, a BSD conference held in Ottawa, Canada, has quickly 
established itself as the technical conference for people working 
on and with 4.4BSD based operating systems and related projects. 
The organizers have found a fantastic formula that appeals to a 
wide range of people from extreme novices to advanced developers. 


BSDCan 2010 will be held on 13-14 May 2010 at University of 
Ottawa, and will be preceded by two days of Tutorials on 11-12 May 
2010. 


There will be related events (of a social nature, for the most part) 


on the day before and after the conference. 


http://bsdcan.org/ 


BSDCan 2010 Wa 
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Jesse Smith 


The BSD family has long held a well deserved reputation for being superb server 
operating systems. However, OS X aside, it's it's not very often we hear about BSD on 
the desktop. That's too bad, because many of the things which make BSD a perfect 
solution in the server room are also great characteristics to have in a desktop system. 
When | hear “BSD" | think of stability, soeed, grace under heavy work loads and 

a practical immunity to most viruses. Who wouldn't want those traits in their desktop? 
It's that sort of thinking which has lead to projects such as PC-BSD (http://pcbsd.org), 
which took FreeBSD and placed a desktop layer over it. And FreeBSD isn't the 

only member of the family being dressed up and displayed to the masses. Recently 
NetBSD and OpenBSD have also been getting friendly new looks via the Jibbed (http: 
//www.jibbed.org) and GNOBSD (http://gnobsd.sri-dev.de) projects respectively. Both 
projects take the basic system and add a user-friendly desktop on a live disc. This 
makes exploring OpenBSD and NetBSD an easier task for people who might not 
otherwise test drive these powerful operating systems. Last week Zafer Aydogan, 
founder of Jibbed, and Stefan Rinkes, founder of GNOBSD, agreed to talk about their 
projects, themselves and BSD. 


54 BSD 3/2010 


BSD Mag: To start, could you 
please tell us a little about 
yourself. Where you are from and 
how you got started with BSD? 
SR: I’m 23 years old and live in Kirchheim, 
near Munich in Germany. | had my first 
experiences with OpenBSD during my 
apprenticeship as an IT specialist about 
two years ago. 

ZA: I'm living in Kiel, Germany, where 
| was also born, but aS you can see 
from my name I’m Turkish. | was raised 
bilingual. 

| got in touch with FreeBSD in 1999 
and moved to NetBSD in 2000. I’ve never 
used OpenBSD. In my day job, | work as 
a software engineer in a small company. 


BSD Mag: Why did you decide to 
start your project? 

ZA: NetBSD does not create a live CD 
during the release process, therefore there 
are no official live CDs. The ones available 
are outdated. | thought there would be 
a demand for NetBSD live CDs that are 
up to date, giving, especially, non-NetBSD 
users the opportunity to get in touch with 
the OS without installing it. 

One of the characteristics of NetBSD 
is their friendly and knowledgeable 
community. Building and customizing the 
live CD was not too difficult, since there 
was already a script for building live CDs 
in pkgsrc. | just built a framework around it, 
to keep it simple and to be able to release 
regularly. 

SR: I’m one of those leaming-by-doing 
guys, so GNOBSD was the perfect way to 
learn more about OpenBSD, the installer, 
programming (shell and Ruby) and how 
to design GUIs. GNOBSD was a learning- 
project and | learned a lot. 

| also thought it would help some 
people to try OpenBSD and to test to see 
if all of their hardware is detected and 
working properly. 


BSD Mag: What sort of feedback 
have your received on the 
project? Have people offered 
suggestions, bug reports, feature 
requests, assistance? 

SR: The feedback | received was more 
positive than negative. Some people even 
offered to set up a mirror for GNOBSD. I’m 


looking forward to getting more e-mails 
with feedback. 

ZA: | have received mostly positive 
feedback. People are happy if they can 
run NetBSD on their hardware. Negative 
feedback comes from users that either 
expect something different or are unable 
to run the CD. I’m trying to implement 
suggestions, where possible and useful. 


BSD Mag: OpenBSD and NetBSD 
are known for their security and 
flexibility on servers, do you 
think they also make for good 
desktop systems? 

ZA: Definitely NetBSD has made 
remarkable progress in being a desktop 
system. It still needs some effort and 
patience during setup, but it is possible to 
have a decent desktop system including 
Flash, being able to run Java applications 
and Cisco VPNs to your company 
network. 

SR: Of course. | think it is important to 
use a secure OS as a desktop system. 
You can use OpenBSD for a secured 
office workstation, it has all you need. With 
a stability which is hard to find elsewhere. 


BSD Mag: GNOBSD and Jibbed 
are great ways to experiment 
with OpenBSD and NetBSD. Will 
there be future releases of these 
projects? Are there any new 
features planned? 

SR: There is the idea to provide code, 
scripts and documentation, so_ that 
everyone can build his/her own version 
of GNOBSD. As easy as GNOBSD, but 
customized to individual needs. 

ZA: 'm currently preparing Jibbed- 
5.0.2, which will be released as soon as 
NetBSD-5.0.2 has been announced. The 
most significant change on the CD will 
be the switch to modular Xorg, which is 
more up to date and can provide support 
for more graphics cards than Xorg in the 
base system. I’ve also added a couple 
of new applications. The release after 
that will be 5.1. I'm experimenting with 
Gnome as a new window manager 
and I'm also preparing a memory-stick- 
version of Jibbed. The benefits of having 
writeable media makes it a_ portable 
NetBSD system on_ stick. Additionally, 


www.bsdmag.org 
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| have recently started to code a graphical 
installer using GTK2. It was bugging me for 
a long time, not having one. Depending on 
my spare time, you can expect a working 
version in the next 12 months. 


BSD Mag: Are you currently 
working on any other projects? 
SR: Just some _ small _ stuff, like 
microcontroller programming and porting 
some stuff to OpenBSD. And I’m currently 
studying for a successful conclusion of my 
apprenticeship. I’m sure there will be some 
new projects when the exams are over. 

ZA: No, ’m not. But, | would like to 
thank all mirrors, who are generously 
providing huge 

amounts of bandwidth every month 
and of course all NetBSD developers for 
making one of the best operating systems 
in the world. 


BSD Magazine would like to thank 
Herr Rinkes and Herr Aydogan for taking 
the time to talk about their projects. Your 
author has had a chance to play with 
both systems and they do indeed provide 
a easy way to explore a BSD system, 
lowering the bar for new adoption. The 
BSD community will no doubt benefit from 
their work. 


Sd 


About the author 


Jesse Smith is a system administrator and 
programmer by training, an open source 
advocate by choice and a writer at heart. 
When he's not working with computers, 
he loves spending time with his family and 
enjoying the natural beauty of his native 
Canada. 
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BSD Goes to the Office: 






Can BSD compete in a real 


life consulting 





Mike Bybee 
Consultant, Fujitsu America 


workplace? 


There are many articles that expound on the success of Linux as desktop, and quite 
a few accounts of using a Linux desktop in this case or that case. 


here are fewer articles regarding a BSD based system 

as a desktop, largely due to its status as solid back office 

system. BSD quietly powers a great deal of devices in 

its many variations and incarmations, from firewalls and 
mail servers to routers and switches. Running BSD as a desktop 
is still relatively rare, and it is a far less publicized desktop than 
its distant cousin, Linux. What fame it has relates mostly to the 
common base it shares with Darwin, the base for Apple’s popular 
OSX system. 

| undertook an experiment with the support of my employers 
to determine the viability of a BSD desktop in a real world 
high pressure consulting engagement. The life of a consultant 
requires absolute attention to the requirements of a client, so 
there can be no compromises made on their side to allow for 
any incompatibilities or shortcomings. This differs from the 
usual article of this type by providing a systems administration 
and consulting perspective instead of a journalist or home user 
perspective. 

For this experiment | chose to use Sun Virtual Box to run a PC- 
BSD 8 Release Candidate guest operating system. Sun Virtual 
Box was chosen largely due to the ease of use and support for 
a wide variety of guest and host operating systems. PC-BSD 8 
was chosen as it provides an excellent end-user experience with 
a minimum of steps, and is based on the new FreeBSD 8. The 
hardware I’m running this on is an older Fujitsu LifeBook E8110 
with 1GB of RAM. The primary OS is the venerable Windows XP, 
still the darling of the corporate world. The performance is poor 
but tolerable, and there is typically noticeable swapping during 
regular usage. 

Here you can see my standard corporate desktop, and 
inset the new guest OS that will soon supplant it. From the task 
manager, you can see that it produces a very minimal load on 
the host system. 


The first step was to install Sun Virtual Box 3.12 on 
Windows XP. The installation was quick and straightforward. 
| then created a guest system, choosing FreeBSD as the guest 
OS. | set the memory to a mere 400MB, enabled acceleration, 
and created a 20 GB virtual disk based on dynamic allocation. 
| then inserted a PC-BSD 8 install DVD and started the guest 
OS. 

PC-BSD has an attractive graphical installer, which provided 
a good guide for the installation process. | chose to manually 
set up the partitions, and enabled whole disk encryption for / 
usr (based on GELI). There was no prompt to allow me to set 
up a manual password for this disk, but this was easy enough 
to configure later. | chose to install all of the default packages, 
including Firefox, Open Office, VLC, Pidgin and more, and then 
let it run. 

The install ran for about 30 minutes without presenting 
too much of an issue for my standard tasks. At this point, 
my machine was swapping a bit as 1GB of RAM is not really 
enough even for standard Windows XP to run comfortably. 
There was some lag on the desktop, but it was really only 
noticeable in Outlook. 

After a reboot of the guest machine, | was confronted with 
a minor bug in the install process; the system was attempting 
to mount /usr with an invalid label. This has been fixed in 
the installer code and shouldn't cause any further issues. 
| rebooted once the error was corrected and it proceeded 
into a graphical screen where | could choose my X driver and 
resolution. As of this writing, the native Virtual Box drivers are 
not included, so | had to set it initially to VESA. The KDE 4.3.4 
desktop popped up, fully populated with the apps | had chosen, 
and response was surprisingly good. | installed the Virtual Box 
drivers from /usr/ports/emulators/virtualbox-ose-additions, 
Set vboxguest_enable="YES” IN /etc/rc.coné. Restarting without 
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X running, and then executing Xorg - 
configure handled the rest of the display 
setup. 

Once the Virtual Box drivers were 
turned on it was very smooth, attractive, 
and seamless. | was even able to 
enable the KDE compositing effects 
via XRender while still getting decent 
responsiveness from the GUI. At this 


Can BSD compete in a real life consulting workplace? 


Unix hosts with SCP SSH, and various 
X11-based utilities. Under Windows this 
is accomplished with a variety of tools 
— PulTTY, WinSCP. and of course an X11 
client are all commonly used. PulTY 
is available as a PBI in the event you 
need it, but in my experience | found it 
was faster and easier to use the native 
tools under all circumstances. Likewise 





scripting and editing files is easy via Vim 
or Kate, with Emacs available as a PBI 
package. 

Instant Messenger functionality is 
crucial in a modern distributed workplace, 
and some corporations have a specific 
list of approved instant messenger clients. 
Normally | would use Pidgin and a plug-in 
such as SIPE if needed. Since WINE does 


point, | was ready to begin configuring 
the new desktop. 

The Xmarks_ utility provided quick 
and painless. synchronization of my 
bookmarks and_ (optionally) stored 
passwords from my primary desktop 
to my PC-BSD desktop. | immediately 
switched off my desktop browser in 
favor of the guest and was impressed 
that nearly every site | routinely access 
worked fine. 

The client | am at makes great use 
of Microsoft SharePoint for collaboration 
and document storage, and it doesn't 
integrate with Firefox as tightly as 
with Internet Explorer. All the same, 
| was just prompted for my Active <>, 
Directory password and d_ée handler dl 
app for the various files. Open Office , 7 
responded quickly and smoothly, and et a 
the experience of opening, reading, | MAMMMMiRIRasaiiRl Ores cursy unites ss: mmipessbenas ogo) ss 
and editing documents on Share Point ee 
was acceptable. Open Office even 
handled password-protected documents 
properly. 

The next major hurdle was handling 
remote Microsoft Windows _ servers. 
Many clients use Windows servers and 
they typically need to be accessed via 
Remote Desktop. The PC-BSD Software 
Manager (conveniently accessible via 
a desktop or menu shortcut) provided 
me quick access to the PBI repository 
at http://pbidircom as well as integrating 
the installation and version management 
features. | was able to find and download 
the PBI package for Remote Desktop 
quickly and install it without any fuss 
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not yet provide good support for this app 
and we were prohibited from using any 
other client, | fell back to using the web- 
enabled version. 

Many tasks involve managing large 
enterprise databases such as Oracle. 


PC3SD 


Personal Computing, served up BSD style! 


Disk setup 


The OEM Grid Control tools functioned 
without issue, and it is even possible to 
install Oracle Express Edition for Linux 
via the built in Linux Compatibility layer 
under BSD, though | didn't have the time 
to complete that for this test. Management 
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Figure 4. Remote Desktop under PC-BSD 8 
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¢ — http://www. virtualbox.org/ 

¢ = http://wiki.freebsd.org/VirtualBox 

¢ —http://sipe.sourceforge.net/ 

¢ — http://www.pcbsd.org/ 

¢ http://www.chiark.greenend.org.uk/ 
~sgtatham/putty/ 

¢ — http://pbidir.com/ 

¢ — http:/www.xmarks.com/ 

¢ http://en.wikipedia.org/wiki/Geli_ 
%28software%29 

¢  http://www.freebsd.org/doc/handbook/ 
disks-encrypting.html 


of DB2 was also easy. | did run into some 
road bumps managing Microsoft SOL 
servers. The easiest method for managing 
SOL servers was simply to log in via 
Remote Desktop. 

My take away from this experience 
is that BSD is now capable of being 
used in ad_ professional consulting 
environment, and provides the same 
levels of Supportability and security 
that we expect from our servers in an 
extremely inexpensive package. PC-BSD 
8 performed better than | had hoped, 
especially when running on_ so Mittle 
memory. It is telling that a guest OS 
running in only 400 MB of RAM was able 
to outperform a bare metal host OS with 
full access to the entire 1 GB. Sun Virtual 
Box also ran very well, and did a great 
job running a guest OS without impacting 
the host excessively. Running in LiveUSB 
mode with full access to the host, PC- 
BSD gave my laptop a new lease on life. 
As a replacement OS it would probably 
extend the service life of this laptop by an 
additional year or two, and with a lower 
operating cost. 
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Notable features include: 
¢ Dual Intel® 5520 chipsets W 


* Dual Intel® 64-Bit Socket 1366 Quad-Core or Dual-Core, Intel® up to 6.4 GT/s 
Xeon® Processor 5500 Series ¢ Up to 144GB DDR3 1333/1066/800 MHz ECC Registered 
* 4U Storage Server Chassis with up to 72 TB storage capacity DIMM/24 GB Unbuffered DIMM 
* 36 x 3.5 Hot-Swap SAS/SATA HDDs (24 front side + 12 rear side) ¢ 2 (x16) PCI-E 2.0, 4 (x8) PCI-E 2.0 (1 in x16 slot), 1 (x4) PCI-E 
* 1400 W (1+1) Redundant High Efficiency Power Supply (in x8 slot) 
(Gold level 93%+ power efficiency) ¢ Intel® 82576 Dual-port Gigabit Ethernet Controller 





iXsystems Introduces the Orionll 4U Storage Solution 


The iX-N4236 boasts energy efficient technology and maximum, high density storage capacity, creating a 4U 
powerhouse with superior cooling. 
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delivering high-end storage density within a single machine, iXsystems cuts operating costs and reduces energy requirements. 
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environments requiring maximum storage capacity and efficiency, 2TB Enterprise-class drives are available from Western 
Digital®, Seagate®, and Hitachi. These drives feature technologies to prevent vibration damage and increase power 
savings, making them an excellent choice for storage-heavy deployment schemes. 


Powerful Intel® Xeon® 5500 Series Processors have a light footprint, while creating a perfect environment for intense 
virtualization, video streaming, and management of storage-hungry applications. Energy efficient DDR3 RAM 
complements the other power saving components while still providing 18 slots and up to144GB of memory overall. 


100% cooling redundancy, efficient airflow, and intelligent chassis design ensure that even under the heaviest of 
workloads, the Orion II remains at an optimal temperature, while still drawing less power than other servers in its class. 
With a 1400 W Gold Level (93%+ efficient) power supply, the entire system works together to efficiently manage power 
draw and heat loss. 


For more information or to request a quote, visit: 
http://www.iXsystems.com/Orion2 
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